Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7
Fixed In:
14.0.0, 13.1.0.8, 12.1.3.7
Opened: Nov 07, 2017 Severity: 3-Major
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.
The backend server will not be securely accessible via SSL because the connection hangs
[1] SSL client authentication is enabled on the backend server [2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side [3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server. [4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.
Disable SSL Session Persistence.
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.