Symptoms

SSL has memory leak if during SSL negotiation peer sent a certificate chain but BIG-IP configured only Root certificate as trusted CA. tmsh show sys memory: ssl_hs, ssl_hs_m and/or ssl memory usage will get bigger. The system may eventually out of memory and crash.

Impact

The BIG-IP system will run out of memory, and eventually the BIG-IP TMM may crash.

Conditions

If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL only configured Root cert as trusted CA, then there is SSL memory leak. If peer sends certificate chain such as Root-Intermediate-Leaf certificates, but BIG-IP SSL configured Root-Intermediate certs as trusted CAs, then there is NOT memory leak.

Workaround

The workaround if applicable is to configure Root CA cert and all Intermediate CA certs in the trusted CA certs.

Fix Information

The SSL certificate chain verification is now handled correctly, and the memory leak is no longer seen.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips