Operational Defect Database
BugZero found this defect 37 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 1577161
BIG-IP tries to resume SSL sessions when session ID matches partially
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP LTM
Affected releases:
13.1.5.1
14.1.5.6
15.1.10.4
16.1.3.5
16.1.4
16.1.4.1
16.1.4.2
16.1.4.3
17.1.1.2
17.1.1.3
Fixed releases:
No fixed releases provided.
Description:
Bug ID 1577161: BIG-IP tries to resume SSL sessions when session ID matches partially ... Last Modified: Apr 26, 2024 ... Severity: 3-Major ... Symptoms ... After receiving the SSL session ID which partially matches a session ID in the cache VIP with the client SSL profile attempts to resume the session. ... For example - there is an existing Session ID: session_id[32]= 28 67 9b 30 dc 8a 6e f4 d1 ef 80 f9 04 93 d6 3d fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd When a client sends Client Hello with resume [32]= 12 11 11 12 12 12 12 12 11 11 80 f9 04 93 d6 3d fb 2e ea b5 ac c2 be f1 6b e7 42 ef 54 a3 a6 cd BIG-IP resumes the session. ... Impact ... The BigIP sends a ServerHello with a different Session ID from the one in the ClientHello and then attempts to resume a TLS session. ... Conditions ... - Create VIP with client SSL profile. - Create a new session (for example with s_client) - Try to reuse the existing session with a few bytes of session ID modified. ... Workaround
