Bug ID 915973: DTLS 1.2 may fall back to TLS 1.2 on Windows

Last Modified: May 29, 2024

Affected Product(s):
APM-Clients APM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3

Fixed In:
7.2.2

Opened: Jun 10, 2020

Severity: 3-Major

Symptoms

Microsoft Windows may fail to establish a DTLS connection if the certificate key for the SHA-2 algorithm (SHA-256, SHA-384, and SHA-512) is not available for 'Microsoft Enhanced RSA and AES Cryptographic Provider'.

Impact

VPN connection on Windows may fail to establish DTLS 1.2 connection and fallback to TLS (establish VPN connection using TLS).

Conditions

-- APM Network Access resource configured with DTLS. -- DTLS v1.2 virtual server configured with client certificate 'request' or 'required' option.

Workaround

1. Import the client certificate key into 'Microsoft Enhanced RSA and AES Cryptographic Provider'. 2. When creating certificate packages, explicitly specify the crypto provider: Microsoft Enhanced RSA and AES Cryptographic Provider. For example use -CSP argument with OpenSSL command: openssl pkcs12 -export -in client_auth.crt -inkey client_auth.key -out client_auth_2.pkcs12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips