Bug ID 635275: Prefer P-256 to P-384 for ECDHE in client SSL, except when the server static key security is matching P-384

Last Modified: Dec 20, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Dec 21, 2016
Severity: 3-Major

Symptoms

The BIG-IP system honors client preferences and prefers P-384 if a TLS client instructed the BIG-IP TLS server to do so.

Impact

The BIG-IP system prefers P-384 over P-256.

Conditions

When client supports both curve P-256 and P-384 for ECDHE in client-ssl profile

Workaround

None.

Fix Information

The new behavior follows these evaluation steps: (1) For static key exchange ECDH-ECDSA/ECDH-RSA, always get the curve ID from certificate. (2) If the server static key (sent in X.509 cert to the client) is RSA 4K or ECDSA P-384, and if P-384 is included by the client in elliptic_curve_list, use P-384. (3) Otherwise, if client elliptic_curve_list has P-256, use it. (4) Otherwise, if client elliptic_curve_list has P-384, use it. (5) Otherwise, no ECDHE ciphersuite can be used.

Behavior Change

In previous releases, the BIG-IP system honored client preferences and preferred P-384 if a TLS client instructed the BIG-IP TLS server to do so. The new behavior follows these evaluation steps: (1) For static key exchange ECDH-ECDSA/ECDH-RSA, always get the curve ID from certificate. (2) If the server static key (sent in X.509 cert to the client) is RSA 4K or ECDSA P-384, and if P-384 is included by the client in elliptic_curve_list, use P-384. (3) Otherwise, if client elliptic_curve_list has P-256, use it. (4) Otherwise, if client elliptic_curve_list has P-384, use it. (5) Otherwise, no ECDHE ciphersuite can be used.