Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF1
Opened: Oct 02, 2015 Severity: 2-Critical
SSL has memory leak if during SSL negotiation peer sent a certificate chain but BIG-IP configured only Root certificate as trusted CA. tmsh show sys memory: ssl_hs, ssl_hs_m and/or ssl memory usage will get bigger. The system may eventually out of memory and crash.
The BIG-IP system will run out of memory, and eventually the BIG-IP TMM may crash.
If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL only configured Root cert as trusted CA, then there is SSL memory leak. If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL configured Root-Intermediate certs as trusted CAs, then there is NOT memory leak.
The workaround if applicable is to configure Root CA cert and all Intermediate CA certs in the trusted CA certs.
The SSL certificate chain verification is now handled correctly, and the memory leak is no longer seen.