Bug ID 649571: Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Mar 07, 2017

Severity: 3-Major


The BIG-IP system does not act on the absence of renegotiation.


Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".


A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system. An example of such a TLS server is Apache/2.4.10 on Fedora Linux.



Fix Information

BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips