Bug ID 743857: Clientssl accepts non-SSL traffic when cipher-group is configured

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
13.1.1.4

Opened: Sep 12, 2018

Severity: 2-Critical

Related Article: K21942600

Symptoms

Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.

Impact

Connections to VIP with clientssl profile are not encrypted. If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.

Conditions

In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.

Workaround

Use Cipher String instead of Cipher Group when configuring clientssl profile.

Fix Information

Properly validate cipher suites in a cipher group before use.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips