Symptoms
SSL handshake will fail if Client initiates the handshake with TLS false start (Client SSL sends the SSL record data to server before Server sends out the CCS + FINISHED).
Impact
BIG-IP will send the RST to tear down the connection in TLS false start.
Conditions
1. Client initiates the SSL handshake with False Start.
2. BIG-IP has SSL hardware acceleration enabled(which is default for for non-VE version).
Workaround
1. Disable TLS False Start - that needs to be done on all clients so might not be feasible;
2. Disable SSL acceleration.
3. Disable AES-GCM ciphers in clientssl profile. Without AES-GCM clients will not try to use TLS false start and still be able to use (EC)DHE.
Fix Information
Do not process application data before verifying finished message and handshake complete.
