Bug ID 467507: Use decrypted CCS flag instead of CCS flag.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP None(all modules)

Known Affected Versions:
10.2.4, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4

Fixed In:
11.6.0, 11.5.1 HF5, 11.4.1 HF9, 11.3.0 HF9, 11.2.1 HF15

Opened: Jun 16, 2014
Severity: 2-Critical

Symptoms

In renegotiation, sp->rxccs is set when encrypted CCS is received. Decrypted Client Key Exchange message could be received after encrypted CCS message is received. So BIGIP should use decrypted CCS flag instead of encrypted CCS flag.

Impact

SSL handshake fails.

Conditions

Decrypted Client Key Exchange message could be received after encrypted CCS message is received.

Workaround

None

Fix Information

Use decrypted CCS flag instead of CCS flag. In renegotiation, sp->rxccs is set when encrypted CCS is received. Decrypted Client Key Exchange message could be received after encrypted CCS message is received. So BIGIP should use decrypted CCS flag instead of encrypted CCS flag.

Behavior Change