Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 13.0.0
Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1
Opened: Nov 02, 2016 Severity: 3-Major Related Article:
K28505256
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.
Client connection hangs during the handshake. No impact to any other module.
When SSL persistence is enabled and a large-sized client certificate is sent by the SSL client to the BIG-IP device.
Disable SSL persistence.
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.