Bug ID 603032: clientssl profiles with sni-default enabled may leak X509 objects

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2

Opened: Jul 06, 2016
Severity: 2-Critical

Symptoms

SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Impact

The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Conditions

clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Workaround

No workaround short of not using sni-default.

Fix Information

SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.

Behavior Change