Bug ID 626386: SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Nov 02, 2016
Severity: 3-Major
Related AskF5 Article:
K28505256

Symptoms

On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Impact

Client connection hangs during the handshake. No impact to any other module.

Conditions

When SSL persistence is enabled and a large-sized client certificate is sent by the SSL client to the BIG-IP device.

Workaround

Disable SSL persistence.

Fix Information

SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

Behavior Change