Bug ID 745774: Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.0.1, 14.0.0.5, 14.0.0.4, 14.0.0.3, 14.0.0.2, 14.0.0.1, 14.0.0, 13.1.3.6, 13.1.3.5

Fixed In:
14.1.0.1, 14.1.0

Opened: Oct 03, 2018

Severity: 3-Major

Symptoms

When you create an EC-key-cert-only client SSL profile and attach it to the virtual server, TMM marks the profile as invalid and reports an error in /var/log/ltm: -- crit tmm[16024]: 01260000:2: Profile /Common/c.f: could not load default key file; invalidating profile.

Impact

The system marks that client SSL profile invalid, rendering it unusable.

Conditions

The issue is seen when the following conditions are met: -- An EC-type cert/key pair is configured on the client SSL profile. -- Forward proxy is enabled in the client SSL profile. -- No RSA key cert is configured on the client SSL profile.

Workaround

Also configure an RSA-type key cert on the client SSL profile.

Fix Information

The client SSL profile no longer has the restriction for key/cert type when forward proxy is enabled.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips