Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0, 11.6.1, 11.5.4 HF2
Opened: Sep 18, 2015 Severity: 4-Minor Related Article:
K72042050
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets. If SSL debug logging is enabled, the system logs an error such as the following: 01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47). Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.
SSL connections fail to complete with a handshake failure.
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.
No workaround.
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.