Bug ID 550124: SSL has memory leak when peer sent a certificate chain but BIG-IP SSL configured only Root certificate as trust CA.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0

Fixed In:
12.1.0, 12.0.0 HF1

Opened: Oct 02, 2015
Severity: 2-Critical

Symptoms

SSL has memory leak if during SSL negotiation peer sent a certificate chain but BIG-IP configured only Root certificate as trusted CA. tmsh show sys memory: ssl_hs, ssl_hs_m and/or ssl memory usage will get bigger. The system may eventually out of memory and crash.

Impact

The BIG-IP system will run out of memory, and eventually the BIG-IP TMM may crash.

Conditions

If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL only configured Root cert as trusted CA, then there is SSL memory leak. If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL configured Root-Intermediate certs as trusted CAs, then there is NOT memory leak.

Workaround

The workaround if applicable is to configure Root CA cert and all Intermediate CA certs in the trusted CA certs.

Fix Information

The SSL certificate chain verification is now handled correctly, and the memory leak is no longer seen.

Behavior Change