Last Modified: Jul 11, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: May 22, 2025 Severity: 3-Major
Configuration of HTTP/2 profile with enforce-tls-requirements enabled and a client-ssl profile with renegotiation enabled is sometimes allowed, when it should throw an error. When 'Enforce TLS Requirements' in a HTTP/2 profile is configured on a virtual server, the 'TLS Renegotiation' option needs to be disabled in the SSL profiles on that virtual server. But in some cases, the configuration is accepted without error even when renegotiation option is enabled on the SSL profile.
Configuration of http/2 profile with enforce-tls-requirements enabled and client SSL profile with renegotiation enabled and when these profiles are added to the virtual server, a configuration error occurs: 01070734:3: Configuration error: In Virtual Server (/Common/testVS) an http2 profile with enforce-tls-requirements enabled is incompatible with client ssl profile '/Common/testssl2'; renegotiation must be disabled
-- Virtual server with HTTP/2, HTTP, and client SSL profiles (any one of the profiles has renegotiation enabled). 1. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile (by default it is enabled). 2. Add multiple client SSL profile with 'TLS Renegotiation' enabled. 3. Save the configuration. Its not throwing the error.
None
None