Bug ID 421429: Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF9

Opened: May 18, 2013
Severity: 3-Major
Related Article:
K15463

Symptoms

Client-initiated renegotiation for Server SSL profile does not work with DTLS when it connects to another BIG-IP Client SSL.

Impact

Attempts to renegotiate Datagram Transport Layer Security (DTLS) connections between BIG-IP systems might fail.

Conditions

This issue occurs when the following condition is met: A BIG-IP system configured with a Server SSL profile attempts to renegotiate a DTLS connection with a BIG-IP system configured with a Client SSL profile, as follows: BIG-IP (Server SSL) BIG-IP (Client SSL) | | |----ClientHello (no cookie)----->| |<---HelloVerifyRequest(cookie)---| |-----ClientHello(with cookie)--->| | |

Workaround

Do not directly connect two BIG-IP systems by DTLS.

Fix Information

Client-initiated renegotiation for Server SSL profile now works with DTLS when it connects to another BIG-IP Client SSL.

Behavior Change