Last Modified: Nov 07, 2022
Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2
11.6.0, 11.5.1 HF3, 11.5.0 HF4, 11.4.1 HF9, 11.3.0 HF9, 11.2.1 HF15
Opened: Jun 06, 2014 Severity: 3-Major
BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.
We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.
CCS(change-cipher-spec) is received before Client key exchange
BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.