Bug ID 474002: Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2, 11.4.1 HF9, 11.2.1 HF15

Opened: Jul 31, 2014
Severity: 3-Major
Related Article:
K15972

Symptoms

If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Impact

Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Conditions

This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Workaround

Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix Information

BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger, up to 4096-bits.

Behavior Change