Bug ID 626386: SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Nov 02, 2016

Severity: 3-Major

Related Article: K28505256

Symptoms

On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Impact

Client connection hangs during the handshake. No impact to any other module.

Conditions

When SSL persistence is enabled and a large-sized client certificate is sent by the SSL client to the BIG-IP device.

Workaround

Disable SSL persistence.

Fix Information

SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips