Last Modified: Mar 17, 2021
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 11.6.4, 11.6.5, 126.96.36.199, 188.8.131.52, 184.108.40.206
Opened: Feb 04, 2015
Handshake failures during certificate chain verification.
SSL handshake failures: BIG-IP system does not respond to server hello done with IIS. This occurs because the 'Server Hello', 'Certificate', 'Server Key Exchange', 'Certificate Request' and 'Server Hello Done' are all in single SSL record, which does not trigger the next state and the operation stalls.
-- Using Internet Information Services (IIS) for Windows Server. -- The ca-file is set to root CA. -- Configured with DHE, ECDHE ciphersuite, or client auth (anything except the RSA-based key transport suite), such as AES128-SHA.
Add intermediate certificates.
The BIG-IP system now iterates through all certificates in a chain, so handshake failures no longer occur under these conditions.