Bug ID 689561: HTTPS request hangs when multiple virtual https servers shares the same ip address

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6

Opened: Oct 19, 2017
Severity: 3-Major

Symptoms

SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.

Impact

client cannot access some https web server.

Conditions

multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.

Workaround

A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.

Fix Information

it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.

Behavior Change