We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1 triggers this bug on the load balancer. When it occurs, the load balancer neither forwards the request to a pool member, nor does it respond to the OpenSSL client. There are warning messages in the load balancer's /var/log/ltm file:
warning tmm[5313]: 012f0002:4: WARN at ../modules/hudproxy/bigproto/pva/pva_frames.c:1234:Received illegal header padding 100 versus 2ff Working with F5 Networks tech support, we have determined that this is a known issue, which they track as Bug 376483. It is fixed in the recently released BIG-IP LTM 10.2.4 software, though it is not mentioned in their release notes, and I confirm that TLS 1.2 connections no longer hang after upgrading to 10.2.4. Derek Poon University of British Columbia Begin forwarded message: > From: F5 Support - Emailclerk <[email protected]> > Date: April 18, 2012 4:14:42 PM PDT > > Derek - > > Thanks for the data. After some pretty extensive research, it appears that > while SOL 13037 was resolved as part of your update, you encounted a second > known issue where the SSL connection hangs after OpenSSL v.1.0.1's Client > Hello because it offered 80 ciphers. > > [...] This has been listed as Bug 376483, and is reported as having been > fixed as of Version 10.2.4. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
