Bug ID 698014: SSID Persistence does not work with TLS v1.3. Warning message logged.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0

Opened: Dec 07, 2017
Severity: 3-Major

Symptoms

In TLS v1.3, after initial handshake is established, the encrypted session ticket is encrypted by the back-end server. The SSL Session ID (SSID) parser, being only a passive listener, has no access to the decryption key required to decrypt the encrypted session ticket, and examine whether this is indeed a session ticket that needs to be cached for persistence.

Impact

Configurations using SSID Persistence with TLS versions up to and including 1.2, will be impacted. Whenever TLS 1.3 traffic is processed and the SSID filter is enabled: -- The filter switches to pass-through. -- No session ID or session ticket is cached for persistence. As a result: + The CLI command 'tmsh show ltm persistence persist persist-records' does not show any of this information. + No SSID persistence is used to load-balance client traffic on to a back-end server (because there is no persistence record).

Conditions

This occurs when a client-side virtual server meets all of the following conditions: -- No SSL profile is enabled. -- SSID Persistence is one of the resources (i.e., the SSID is enabled). -- TLS v1.3 traffic is negotiated between the SSL client and the back-end SSL server, with the BIG-IP device acting as a passive listener between the client and the back-end server.

Workaround

There is no solution possible with TLS v1.3. SSID does not work because of the very nature of the TLS v1.3 protocol. A TMM warning message is logged in the file "/var/log/ltm", in the following format: warning tmm[12729]: 01260044:4 SSID is not supported with TLS 1.3.

Fix Information

A TMM warning message is logged in the file '/var/log/ltm', in the following format: warning tmm[12729]: 01260044:4 SSID is not supported with TLS 1.3.

Behavior Change