Bug ID 497433: SSL Forward Proxy server side now supports all key exchange methods.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP None(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5

Opened: Dec 18, 2014
Severity: 2-Critical

Symptoms

SSL Forward Proxy implementation requires the clientssl and serverssl profiles to configure at least one RSA ciphersuite. If the backend server uses ciphersuites other than RSA key exchange such as (ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS), the connection fails.

Impact

SSL Forward Proxy on the server side cannot be configured to use all key exchange methods the SSL module supports, and is limited to RSA.

Conditions

Must use RSA key exchange on the server side, meaning that it is not possible to have server side SSL uses key exchange methods--such as ECDHE-ECDSA, ECDH-ECDSA, DHE-DSS--while the client side still uses RSA key exchange.

Workaround

None.

Fix Information

SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.

Behavior Change

SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.