Bug ID 425420: Server-side SSL can reuse expired session IDs

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.2.1 HF16

Opened: Jul 17, 2013
Severity: 3-Major
Related AskF5 Article:
K15440

Symptoms

Server side SSL might send a session ID that should have expired to the SSL server

Impact

Very minimal. This is only a problem when the cache timeout set on the server ssl profile is less than the timeout set on the SSL server.

Conditions

Expiring SSL sessions

Workaround

None.

Fix Information

Server side SSL will no longer send expired session IDs to the server.

Behavior Change