Bug ID 987077: TLS1.3 with client authentication handshake failure

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2

Fixed In:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6

Opened: Jan 26, 2021
Severity: 3-Major

Symptoms

SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Impact

-- A handshake failure occurs. -- Client certificate authentication may pass without checking its validity via OCSP.

Conditions

-- LTM authentication profile using OCSP and TLS1.3. -- Client application data arrives during LTM client authentication iRule.

Workaround

Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix Information

Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Behavior Change