Bug ID 693308: SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,

Fixed In:

Opened: Nov 07, 2017

Severity: 3-Major


When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.


The backend server will not be securely accessible via SSL because the connection hangs


[1] SSL client authentication is enabled on the backend server [2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side [3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server. [4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.


Disable SSL Session Persistence.

Fix Information

Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips