Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0
13.1.0, 13.0.0 HF1, 12.1.2 HF1
Opened: Nov 02, 2016
Related AskF5 Article: K28505256
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Client connection hangs during the handshake. No impact to any other module.
When SSL persistence is enabled and a large-sized client certificate is sent by the SSL client to the BIG-IP device.
Disable SSL persistence.
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.