Bug ID 1205501: The iRule command SSL::profile can select server SSL profile with outdated configuration

Last Modified: Jun 06, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Opened: Dec 06, 2022

Severity: 2-Critical

Symptoms

Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Impact

The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Conditions

The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Workaround

Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect. or Do not make changes to a profile that is actively being used by the iRule command.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips