Bug ID 1101705: RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification

Last Modified: Jan 19, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 17.0.0

Fixed In:
17.0.0.1, 16.1.3

Opened: Apr 22, 2022
Severity: 1-Blocking

Symptoms

- RSA-KEX ciphers list are removed from httpd configuration when FIPS mode is enabled since these are non-approved ciphers for FIPS 140-3 certification. - Mandatory fix for FIPS 140-3 Certification.

Impact

- BIG-IP systems running without this fix on a release targeted for certification (BIG-IP 16.1.x or later) will not be running a FIPS 140-3 certified configuration. - https connection using RSA KEX ciphers will not be successful when FIPS 140-3 license is installed in the device.

Conditions

- BIG-IP versions 16.1.3 and above. - Applies to systems requiring FIPS 140-3 Certification. - FIPS 140-3 license is installed on BIG-IP or its a FullBoxFIPS device. - https connections are established using the RSA-KEX based ciphers

Workaround

None

Fix Information

Apply this fix to ensure that the system is compliant with FIPS 140-3 Certification.

Behavior Change