Last Modified: Nov 07, 2022
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
14.0.0, 22.214.171.124, 126.96.36.199
Opened: Nov 07, 2017
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.
The backend server will not be securely accessible via SSL because the connection hangs
 SSL client authentication is enabled on the backend server  No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side  An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.  The client certificate chain is passed to the BIG-IP device as part of initiating the connection.
Disable SSL Session Persistence.
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.