Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Oct 25, 2017 Severity: 3-Major
When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.
If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.
1. BIG-IP (VIP) uses Proxy-SSL mode. 2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).
The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).
The system now checks whether the SSL handshake message is fragmented by comparing the message length and the handshake record length. The system then assembles the fragmented message and performs the required correctness check if it is fragmented.