Bug ID 487983: VS Proxy SSL reports misleading error when unsupported cipher is negotiated

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:

Opened: Oct 31, 2014

Severity: 4-Minor


If the client and server SSL profiles have a cipher list such as TLSv1_2:TLSv1_1:TLSv1 and the server and client negotiates a cipher that is not supported by Proxy SSL such as DHE-RSA-AES128-SHA, the following error is logged to /var/log/ltm: err tmm[10465]: 01260014:3: Cipher 33:3 negotiated is not configured in profile /Common/ss_internal_proxyssl_cu.


The system presents a misleading log message that implies that the specified cipher is not supported, even though it is. The issue is more accurately described in this message: Cipher xx:x negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.


This occurs when an unsupported cipher is negotiated. DHE is supported by BIG-IP (see SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)) and is included in TLS, but is not supported by SSL Proxy. As such, the current log message is incorrect and misleading.



Fix Information

In this release, when an unsupported cipher is negotiated, the system presents a message similar to the following: 'Cipher 33:3 negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.'

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips