Bug ID 676355: DTLS retransmission does not comply with RFC in certain resumed SSL session

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM, LTM(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0, 12.1.3.6, 11.6.3.3, 11.5.7

Opened: Jul 31, 2017

Severity: 3-Major

Symptoms

The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Impact

When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Conditions

-- In the Cavium SSL offloading platform. -- DTLS FINISHED Message is lost.

Workaround

None.

Fix Information

The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips