Bug ID 1205501: The iRule command SSL::profile can select server SSL profile with outdated configuration

Last Modified: Jul 11, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Fixed In:
17.1.1, 16.1.4, 15.1.9

Opened: Dec 06, 2022

Severity: 2-Critical

Symptoms

Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Impact

The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Conditions

The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Workaround

Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect. or Do not make changes to a profile that is actively being used by the iRule command.

Fix Information

The server SSL profiles will now reloaded successfully after changes are made.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips