Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: Feb 04, 2015 Severity: 2-Critical
Handshake failures during certificate chain verification.
SSL handshake failures: BIG-IP system does not respond to server hello done with IIS. This occurs because the 'Server Hello', 'Certificate', 'Server Key Exchange', 'Certificate Request' and 'Server Hello Done' are all in single SSL record, which does not trigger the next state and the operation stalls.
-- Using Internet Information Services (IIS) for Windows Server. -- The ca-file is set to root CA. -- Configured with DHE, ECDHE ciphersuite, or client auth (anything except the RSA-based key transport suite), such as AES128-SHA.
Add intermediate certificates.
The BIG-IP system now iterates through all certificates in a chain, so handshake failures no longer occur under these conditions.