Bug ID 701538: SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Last Modified: Dec 03, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8

Fixed In:
14.0.0, 13.1.1, 12.1.3.5

Opened: Jan 11, 2018
Severity: 2-Critical

Symptoms

SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Impact

The BIG-IP system sends the RST to tear down the connection in TLS false start.

Conditions

1. Client initiates the SSL handshake with False Start. 2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Workaround

There are no true workarounds. You must disable one of the conditions to workaround the issue: -- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.) -- Disable SSL acceleration. -- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix Information

The system no longer processes application data before verifying that the finished message arrives and handshake is complete.

Behavior Change