Bug ID 453720: clientssl profile validation fails to detect config with no cert/key name and no cert/key

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
11.5.3, 11.5.2, 11.5.1

Fixed In:
11.6.0, 11.5.4

Opened: Mar 24, 2014

Severity: 3-Major

Related Article: K11140613

Symptoms

The system does not prevent creation of a clientssl profile with no cert-key-chain name and no cert/key (or a cert/key of 'default'), and does not post an error alerting the user to the condition. The system creates the profile without error. This can cause issues when upgrading.

Impact

The system incorrectly allows a blank cert-key-chain name and an empty cert/key in clientssl profiles. When upgrading such a profile to versions 11.5.4, 11.6.0, 12.0.0, or later, the configuration fails to load with a message similar to the following: -- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed. -- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.

Conditions

This occurs when attempting to create a clientssl profile without a cert-key-chain name or cert/key, or a cert/key of 'default'. Note: The system should prevent this, but does not do so in versions 11.5.1, 11.5.2, or 11.5.3.

Workaround

Use the following steps to work around this issue: -- To correct the configuration, run the following command: sed -ie '/"" { }/d' /config/bigip.conf. -- To load the modified configuration, run the following command: tmsh load sys config. Note: To determine whether profiles are affected, run the following command: grep '"" { }' /config/bigip.conf -A2 -B1. On affected profiles, the system returns the following output: cert-key-chain { "" { }.

Fix Information

The system now presents an error message when attempting to create a clientssl profile without a cert-key-chain name and a cert/key (or a cert/key of 'default'), and prevents the creation of the profile, so potential upgrade failures no longer occur.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips