Last Modified: Nov 07, 2022
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 11.6.4, 11.6.5, 18.104.22.168, 22.214.171.124, 126.96.36.199
Opened: Oct 31, 2014 Severity: 4-Minor
If the client and server SSL profiles have a cipher list such as TLSv1_2:TLSv1_1:TLSv1 and the server and client negotiates a cipher that is not supported by Proxy SSL such as DHE-RSA-AES128-SHA, the following error is logged to /var/log/ltm: err tmm: 01260014:3: Cipher 33:3 negotiated is not configured in profile /Common/ss_internal_proxyssl_cu.
The system presents a misleading log message that implies that the specified cipher is not supported, even though it is. The issue is more accurately described in this message: Cipher xx:x negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.
This occurs when an unsupported cipher is negotiated. DHE is supported by BIG-IP (see SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)) and is included in TLS, but is not supported by SSL Proxy. As such, the current log message is incorrect and misleading.
In this release, when an unsupported cipher is negotiated, the system presents a message similar to the following: 'Cipher 33:3 negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.'