Bug ID 487983: VS Proxy SSL reports misleading error when unsupported cipher is negotiated

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Oct 31, 2014
Severity: 4-Minor

Symptoms

If the client and server SSL profiles have a cipher list such as TLSv1_2:TLSv1_1:TLSv1 and the server and client negotiates a cipher that is not supported by Proxy SSL such as DHE-RSA-AES128-SHA, the following error is logged to /var/log/ltm: err tmm[10465]: 01260014:3: Cipher 33:3 negotiated is not configured in profile /Common/ss_internal_proxyssl_cu.

Impact

The system presents a misleading log message that implies that the specified cipher is not supported, even though it is. The issue is more accurately described in this message: Cipher xx:x negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.

Conditions

This occurs when an unsupported cipher is negotiated. DHE is supported by BIG-IP (see SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)) and is included in TLS, but is not supported by SSL Proxy. As such, the current log message is incorrect and misleading.

Workaround

None

Fix Information

In this release, when an unsupported cipher is negotiated, the system presents a message similar to the following: 'Cipher 33:3 negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.'

Behavior Change