Bug ID 649571: Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Mar 07, 2017
Severity: 3-Major

Symptoms

The BIG-IP system does not act on the absence of renegotiation.

Impact

Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Conditions

A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system. An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Workaround

None.

Fix Information

BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

Behavior Change