Bug ID 603032: clientssl profiles with sni-default enabled may leak X509 objects

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2

Opened: Jul 06, 2016

Severity: 2-Critical

Symptoms

SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Impact

The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Conditions

clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Workaround

No workaround short of not using sni-default.

Fix Information

SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips