Bug ID 862557: Client-ssl profiles derived from clientssl-quic fail validation

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0

Fixed In:
16.0.0, 15.1.0.1

Opened: Dec 16, 2019

Severity: 3-Major

Symptoms

After configuring a clientssl-quic profile, you get a validation error: 01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Impact

You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Conditions

This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Workaround

Modify the clientssl-quic profile to have the following properties: cipher-group quic ciphers none This requires the following additional config objects: ltm cipher group quic { allow { quic { } } } ltm cipher rule quic { cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384 description "Ciphers usable by QUIC" }

Fix Information

Update the built-in configuration to pass validation.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips