Bug ID 664528: SSL record can be larger than maximum fragment size (16384 bytes)

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4, 12.1.3.4

Opened: May 12, 2017
Severity: 3-Major
Related AskF5 Article:
K53282793

Symptoms

SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Impact

SSL handshake will fail with client or server that properly checks the record size.

Conditions

This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Workaround

Use a certificate that is smaller in size.

Fix Information

Properly fragment handshake data.

Behavior Change