Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist

F5 - Defect ID: 1007505

TLS handshake times out if intermediate CA cert status cannot be determined

Last updated on 5/29/2024

Overall
88.0
Severity
9.19.1
Community
4.14.1
Lifecycle
7.17.1
What is the BugZero Risk Score?

Vendor details

  • Priority: 2-Critical
  • Status: Verified
  • Impact Category: Local Traffic Manager

Symptoms

The BIG-IP system resets an HTTPS connection. SSL handshake failure logs appear in /var/log/ltm: warning tmm1[2555]: 01260013:4: SSL Handshake failed for TCP 10.0.0.l0:443 -> 10.0.0.20:60716 In the server-side packet trace, there is no Client Key Exchange message in response to the Server Hello Done message. The connection then is reset 10 seconds after the Server Hello Done message.

Impact

Clients cannot connect to the HTTPS pool members.

Conditions

-- OCSP is configured for the server SSL profile. -- The OCSP responder cannot determine the intermediate CA cert status.

Workaround

For each affected host, add the certificate of the issuer of the server certificate to the CA bundle specified in the Trusted CA field of the server SSL profile.

Fix Information

None

  • 9.85Defect ID: 1927557
    Blades are not upgraded after partition upgraded to 1.8.1 from 1.8.0 EHF build
  • 9.45Defect ID: 1474081
    Central Manager upgrade fails, leaving VM in maintenance mode
  • 9.45Defect ID: 970269
    Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"
  • 9.45Defect ID: 1785385
    ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above
  • 9.45Defect ID: 1674409
    High API load can render BIG-IP Next unresponsive.

Ready to prevent the next vendor outage?

Get a demo
BugZero | F5 BugID 1007505 - TLS handshake times out if intermediate CA cert st...