Bug ID 474002: Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2, 11.4.1 HF9, 11.2.1 HF15

Opened: Jul 31, 2014

Severity: 3-Major

Related Article: K15972


If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.


Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.


This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.


Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix Information

BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger, up to 4096-bits.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips