Bug ID 480039: Need to configure "No SSLv2" in ServerSSL profile when using Camellia ciphers

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.2, 12.1.1, 12.1.0, 12.0.0

Opened: Sep 18, 2014

Severity: 3-Major

Symptoms

When configuring COMPAT ciphers in ServerSSL profile and using Camellia ciphers to perform SSL connection with the backend server, bigip will initiate the client-hello with SSLv2 to the server, which is not supported by Camellia ciphers. If the server side is unable to handle it and ask for the right SSL version, it will stop the SSL handshake process.

Impact

Can't start the SSL connection.

Conditions

1. When configuring COMPAT mode and using Camellia ciphers to connect with the backend server; and 2. When the backend server is performed by openssl and has protocol name specified, or other servers that can't handle sslv2 client-hello.

Workaround

When using Camellia ciphers in COMPAT mode, please configure "No SSLv2" in the serverSSL profile options List.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips