Forum Discussion

Daniel_Tavernie's avatar
Daniel_Tavernie
Icon for Cirrostratus rankCirrostratus
Oct 10, 2013

Chrome v30 Triggers v10.2.x TLS and ClientHello Bugs -- Sites Down

The recent upgrade to Chrome v30 exploits a bug in 10.2.x where the BIG-IP refuses to respond to ClientHello with ServerHello. I am trying to determine in what version(s) this is actually fixed.

 

It seems this bug is two-fold: "From testing it appears that these servers hang the connection if:

1.  The ClientHello record is larger than 255 bytes _and_
2.  The record version is greater than 0x0301 (0x0301 = TLSv1.0).

This is different from the traditional F5 bug, which hangs the connection based only on the size of the ClientHello record."

(Above quoted from comment 17 on https://code.google.com/p/chromium/issues/detail?id=303398)

 

Issue "1" from above seems to have been fixed in 10.2.2 HF2: Bug ID 364699: "ClientHello SSL messages greater than 256 bytes in length no longer cause connections to clientssl virtual servers to stall, or re-negotiations to fail." (SOL13109)

 

The problem is that I have contacts experiencing the overall issue on 10.2.3 HF1 and 10.2.4 HF4.

 

There are reports that things work properly by 10.2.4 HF6 (From comment 18 on https://code.google.com/p/chromium/issues/detail?id=303398) -- I have not tested or heard about 10.2.4 HF5.

 

Issue "1" could also relate to 10.2.4-732.0 (HF5) which included F5 Bug ID 225445 (SOL8653 ††😞 "SSL handshakes with large, but RFC-compliant, messages (for example, large certificate chains) are now correctly handled by the BIG-IP." (†† SOL8653 does not mention v10.2.4, but the release notes include this F5 Bug ID.)

 

Issue "2" may have been dealt with in 10.2.2 HF1 and 10.2.3: Bug ID 363396 (SOL13037)

 

Bug ID 407706 (included in 10.2.4 HF6) may also be related: "BIG-IP is no longer susceptible to the attacks described in CVE-2013-0169." * While this CVE does not seem to be specifically relevant to this bug, the fixes touch TLSv1.1 and TLSv1.2, both of which are related to the issue you're seeing. It is quite possible that the fixes implemented by F5 for this bug also took care of your issue.

 

  • * I have confirmed that 10.2.3-123.0 (HF1) is affected. * I have also opened SR1-313410437 with F5 Support.
  • I reformatted the question a bit and added potentially related Bug ID 407706 at the bottom.
  • F5 has developed an Engineering Hotfix for those on 10.2.3 HF1 that cannot upgrade to 10.2.4 or 11.x. (Upgrading to 10.2.4+ takes care of a lot of other bugs and is worth doing, but may be a longer-term fix.) Open a case with F5 and refer the engineer to SR1-313410437 (ticket) for full details.