Forum Discussion
CirrusInvalid Content-Length header caused Big-IP to terminate connection?
Hi all,
I updated our Big-IP cluster to 17.1.1.4 last monday, and now I have a strange problem. When doing a HTTP request to any VIP, using POST but just as well GET or ..., and specifying an invalid "Content-Length" header, the Big-IP instantly terminates the connection as soon as the header is transmitted.
No error is logged in /var/log/ltm.
Examples:
Content-Length: haha
Content-Length: 2a
An empty Content-Length also causes the issue.
Curl example:
...
> User-Agent: curl/7.76.1
> Accept: */*
> Content-Length: aa
>
* OpenSSL SSL_read: Connection reset by peer, errno 104
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Unknown (21):
I don't have any special iRules that might assume Content-Length is numeric. And then I would expect a TCL error.
Now my question: can anybody running 17.1.1.4 do a simple Postman-like request, and include an invalid Content-Length header? Does this work for you?
I would like to hear if others have this problem as well before I make a support case.
Yes I know invalid Content-Length headers are not ok, but clients should not be punished for it imo. And GET should not have Content-Length anyway, but then the Big-IP should just ignore it, right?
Thank you
Vincent
telnet 192.168.1.1 80
Trying 192.168.1.1...
Connected to 10.125.245.56.
Escape character is '^]'.
GET / HTTP/1.1
Host: test
Content-Length: abc
Connection closed by foreign host.Same behavior in my environment. From which version do you upgrade?
I think this behavior change was introduced with this bug fix:
http://cdn.f5.com/product/bugtracker/ID1354253.html
Yes I know invalid Content-Length headers are not ok, but clients should not be punished for it imo. And GET should not have Content-Length anyway, but then the Big-IP should just ignore it, right?
Validating headers is essential for security, but it is bad that there is no logging entry.
3 Replies
- Aswin_mk
MVP
Hi
i have running on 17.1.1.3 and only faced issues in optimized profiles. if you have issues, please check the 17.1.1.4 release note to verify it or raise a support ticket immediately to know the issue and fix
BIG-IP 17.1.1.4 Fixes and Known Issues
BR
Aswin - Juergen_Mang
telnet 192.168.1.1 80
Trying 192.168.1.1...
Connected to 10.125.245.56.
Escape character is '^]'.
GET / HTTP/1.1
Host: test
Content-Length: abc
Connection closed by foreign host.Same behavior in my environment. From which version do you upgrade?
I think this behavior change was introduced with this bug fix:
http://cdn.f5.com/product/bugtracker/ID1354253.html
Yes I know invalid Content-Length headers are not ok, but clients should not be punished for it imo. And GET should not have Content-Length anyway, but then the Big-IP should just ignore it, right?
Validating headers is essential for security, but it is bad that there is no logging entry.
Vinne73I think you are correct, this will be the cause probably. The article says it was fixed in 17.1.1, the version I'm coming from. So normally I should have already experienced the problem before, but I know these version are sometimes not 100% correct. But I was running engineering hotfixes on 17.1.1 for unrelated problems.
I might contact F5 to see if there is a possibility to log this.
Thanks.
