Bug ID 701538: SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8

Fixed In:
14.0.0, 13.1.1, 12.1.3.5

Opened: Jan 11, 2018

Severity: 2-Critical

Symptoms

SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Impact

The BIG-IP system sends the RST to tear down the connection in TLS false start.

Conditions

1. Client initiates the SSL handshake with False Start. 2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Workaround

There are no true workarounds. You must disable one of the conditions to workaround the issue: -- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.) -- Disable SSL acceleration. -- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix Information

The system no longer processes application data before verifying that the finished message arrives and handshake is complete.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips