Bug ID 987077: TLS1.3 with client authentication handshake failure

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2

Fixed In:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6

Opened: Jan 26, 2021

Severity: 3-Major

Symptoms

SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Impact

-- A handshake failure occurs. -- Client certificate authentication may pass without checking its validity via OCSP.

Conditions

-- LTM authentication profile using OCSP and TLS1.3. -- Client application data arrives during LTM client authentication iRule.

Workaround

Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix Information

Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips