Bug ID 690699: Fragmented SSL handshake messages cause Proxy SSL handshake to fail

Last Modified: Jan 29, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4

Fixed In:
14.0.0

Opened: Oct 25, 2017
Severity: 3-Major

Symptoms

When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.

Impact

If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.

Conditions

1. BIG-IP (VIP) uses Proxy-SSL mode. 2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).

Workaround

The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).

Fix Information

The system now checks whether the SSL handshake message is fragmented by comparing the message length and the handshake record length. The system then assembles the fragmented message and performs the required correctness check if it is fragmented.

Behavior Change