Bug ID 700696: SSID does not cache fragmented Client Certificates correctly via iRule

Last Modified: Oct 21, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1

Fixed In:
14.0.0, 13.1.1.2, 12.1.3.7

Opened: Jan 04, 2018
Severity: 3-Major

Symptoms

The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Impact

The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Conditions

-- Client Authentication is enabled. -- A very large Client Certificate is supplied (typically greater than 16,384 bytes). -- SSL Session ID Persistence is enabled. -- The iRule CLIENTSSL_CLIENTCERT is enabled.

Workaround

Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix Information

This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).

Behavior Change