Bug ID 465908: CVE-2014-0224: behavior change

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.6.2 HF1, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.6.0, 11.5.1 HF3, 11.5.0 HF4, 11.4.1 HF9, 11.3.0 HF9, 11.2.1 HF15

Opened: Jun 06, 2014

Severity: 3-Major


BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.


We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.


CCS(change-cipher-spec) is received before Client key exchange



Fix Information

BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips