Bug ID 492085: Replacing an entry in an SSL profile's certificate-key chain may cause it to be added, not replaced, when synced to other devices

Last Modified: Sep 23, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.5.3, 11.5.2, 11.5.1

Opened: Nov 20, 2014

Severity: 3-Major

Related Article: K33287450

Symptoms

If an entry of a profile's certificate-key chain is replaced, and then a full load sync is performed, then the receiving device will have the newly chosen keypair added to the chain instead of replaced.

Impact

If the two keys are of the same type, then it is not deterministic which key will be used, so the SSL handshake might happen with the wrong key.

Conditions

This issue occurs when all of the following conditions are met: -- You have multiple BIG-IP systems in an HA configuration. -- Your configuration includes one or more virtual servers with an associated client SSL profile. -- You have performed at least one full configuration synchronization (ConfigSync) to the HA peer devices. -- You create or import a new SSL certificate and key pair. -- You perform the following modifications to one or more client SSL profile: + Select the box to allow editing of Certificate Key Chain option. + Select the currently associated SSL certificate and key object. + Select Edit and choose the new SSL certificate and key from the Certificate and Key options. -- Perform a full ConfigSync to the peer HA devices. Note: This issue occurs because both the new and existing SSL certificate / key pairs are associated with the SSL profile on remote BIG-IP HA peers.

Workaround

Perform the following procedure: 1. Disable full-load-on-sync for the device group. 2. Delete the profile. 3. Perform a sync operation. 4. Create the device group with the new certificate-key chain. 5. Sync again.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips