Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5
Fixed In:
12.0.0, 11.6.0 HF6
Opened: Mar 05, 2015 Severity: 2-Critical
BIG-IP SSL when serves as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS, it will send a bad client key exchange to SSL server in server initiated renegotiation.
SSL handshake failed. The SSL server may reset the SSL connection with an error: digest check failed, or ssl handshake failed.
BIG-IP acts as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS in server initiated renegotiation.
Do not use ciphers ECDHE_ECDSA or DHE_DSS.
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS in server initiated renegotiation where BIG-IP acts as a client.