Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3
Fixed In:
13.1.1.4
Opened: Sep 12, 2018 Severity: 2-Critical Related Article:
K21942600
Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.
Connections to VIP with clientssl profile are not encrypted. If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.
In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.
Use Cipher String instead of Cipher Group when configuring clientssl profile.
Properly validate cipher suites in a cipher group before use.