Symptoms

Applications including Microsoft Internet Explorer (IE) using the Microsoft Secure Channel ('Schannel') TLS library may experience TLS handshake failures while accessing virtual servers with Client SSL profiles. When the client and server select a TLS ciphersuite that utilizes ephemeral Diffie-Hellman (DHE) key exchange, the server (the BIG-IP system) sends a ServerKeyExchange message with Diffie-Hellman parameters to the client. For a subset of the generated parameters (approximately 1 in 128 for 1024-bit DH parameters), the length of the encoded 'dh_Ys' parameter is less than the length of the encoded 'dh_P' parameter. As a result of that encoding combined with an issue with the Schannel library, the client experiences a fatal error and is unable to complete the TLS handshake. When this issue occurs, only a subset (potentially only one) TMM may experience handshake failures, because each TMM generates unique DH parameters. Handshake failures may last for up to an hour, as each TMM regenerates parameters every hour.

Impact

Schannel-based applications may be unable to complete TLS handshakes with one more TMMs on a system for up to an hour. Other clients are unaffected, and can successfully complete TLS handshakes.

Conditions

- Virtual servers with Client SSL profiles. - Client applications using the Secure Channel (Schannel) TLS library. Relevant clients include IE. - The BIG-IP system selects a ciphersuite that uses DHE key exchange. Note that the ECDHE key exchange is unaffected.

Workaround

Disable DHE cipher suites in client-ssl profiles, as follows: * 'DEFAULT:!EDH' to permanently remove DH-based ciphersuites. * 'DEFAULT:-EDH:DEFAULT+EDH' to move them to the end of the preference list.

Fix Information

In order to avoid this issue, the BIG-IP ensures that the encoded Diffie-Hellman parameters ('dh_p' and 'dh_Ys') in TLS ServerKeyExchange are always the same length by padding 'dh_Ys' with leading 0x00 bytes.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips