Bug ID 701147: ProxySSL does not work properly with Extended Master Secret and OCSP

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5

Fixed In:
14.0.0, 13.1.0.6

Opened: Jan 09, 2018
Severity: 3-Major
Related Article:
K36563645

Symptoms

SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Impact

ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Conditions

1. Virtual server is configured to work in ProxySSL mode. 2. Client and server negotiate the SSL handshake with the Extended Master Secret. 3. Client and Server negotiate to use the OCSP.

Workaround

None.

Fix Information

Included the certificate status message in the calculation of Extended Master Secret.

Behavior Change