Bug ID 590122: Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 12.1.0, 12.1.1

Fixed In:
13.0.0, 12.1.2, 11.6.3.3

Opened: Apr 28, 2016

Severity: 3-Major

Symptoms

Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Impact

Failed TLS handshake.

Conditions

Standard behavior of TLS clients is to use ClientHello.client_version in pre-master secret (PMS). Some clients, incorrectly, might use negotiated version in PMS.

Workaround

None.

Fix Information

Added support for tls-rollback-bug option for an SSL profile. This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).

Behavior Change

This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html). The value is set by the existing tls-rollback-bug option, using the command described in create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }. This is an existing option. When this option is enabled in the client SSL profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS). With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behavior of TLS clients is to use ClientHello.client_version in PMS.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips