Bug ID 690699: Fragmented SSL handshake messages cause Proxy SSL handshake to fail

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,

Fixed In:

Opened: Oct 25, 2017

Severity: 3-Major


When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.


If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.


1. BIG-IP (VIP) uses Proxy-SSL mode. 2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).


The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).

Fix Information

The system now checks whether the SSL handshake message is fragmented by comparing the message length and the handshake record length. The system then assembles the fragmented message and performs the required correctness check if it is fragmented.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips