Bug ID 693308: SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7

Fixed In:
14.0.0, 13.1.0.8, 12.1.3.7

Opened: Nov 07, 2017
Severity: 3-Major

Symptoms

When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Impact

The backend server will not be securely accessible via SSL because the connection hangs

Conditions

[1] SSL client authentication is enabled on the backend server [2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side [3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server. [4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Workaround

Disable SSL Session Persistence.

Fix Information

Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

Behavior Change