Bug ID 490801: mod_ssl: missing support for TLSv1.1 and TLSv1.2

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0

Fixed In:
12.1.0, 12.0.0 HF1, 11.6.1, 11.5.4 HF2

Opened: Nov 14, 2014
Severity: 2-Critical
Related AskF5 Article:
K17491

Symptoms

This is due to using older versions of httpd (which includes mod_ssl ...). Newer versions of httpd as of 2.2.15-39 include the necessary support for TLSv1.1 and TLSv1.2.

Impact

No support is provided for TLSv1.1 and TLSv1.2.

Conditions

Any older versions of httpd which are not upgraded to 2.2.15-39 or selectively patched for the mod_ssl component will not be able to provide support for TLSv1.1 and TLSv1.2. Note that in older releases, there is a dependency on openssl 1.0.1 for a backport of the mod_ssl changes to actually support TLSv1.1 and TLSv1.2.

Workaround

Upgrade to one of the following: 12.0.0-hf1 - includes changes to mod_ssl 12.1.0 - includes update to httpd 2.2.15-39

Fix Information

Upgrade to httpd 2.2.15-39 (from el6.6) provides the needed changes to mod_ssl to support TLSv1.1 and TLSv1.2.

Behavior Change