Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
Fixed In:
12.0.0, 11.6.0 HF5
Opened: Dec 18, 2014 Severity: 2-Critical
SSL Forward Proxy implementation requires the clientssl and serverssl profiles to configure at least one RSA ciphersuite. If the backend server uses ciphersuites other than RSA key exchange such as (ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS), the connection fails.
SSL Forward Proxy on the server side cannot be configured to use all key exchange methods the SSL module supports, and is limited to RSA.
Must use RSA key exchange on the server side, meaning that it is not possible to have server side SSL uses key exchange methods--such as ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS--while the client side still uses RSA key exchange.
None.
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.
SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.