Bug ID 664528: SSL record can be larger than maximum fragment size (16384 bytes)

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4, 12.1.3.4

Opened: May 12, 2017

Severity: 3-Major

Related Article: K53282793

Symptoms

SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Impact

SSL handshake will fail with client or server that properly checks the record size.

Conditions

This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Workaround

Use a certificate that is smaller in size.

Fix Information

Properly fragment handshake data.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips