Bug ID 514729: 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0.

Last Modified: May 23, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
15.0.0, 14.1.0, 14.0.0, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0, 11.6.3, 11.6.2, 11.6.1, 11.6.0, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

Fixed In:
11.5.3 HF2

Opened: Mar 26, 2015
Severity: 4-Minor

Symptoms

SSL ciphers 'DEFAULT:!HIGH:!MEDIUM' are allowed in 10.2.1 but will prevent a config from loading in 11.5.1, 11.5.2, 11.5.3, or 11.6.0. This cipher specification is not relevant for software versions 11.5.1, 11.5.2, 11.5.3, or 11.6.0, because all the DEFAULT ciphers fall within HIGH and MEDIUM ciphers. Turning off HIGH and MEDIUM effectively leaves the system with no ciphers to select from. This is the DEFAULT for 11.5.1. !SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4

Impact

Upon reboot into version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, or upon load of a UCS from 10.2.1, the configuration fails to load. The operation fails with an error similar to the following. 01070311:3: Ciphers list <list>' for profile <profile name> denies all clients

Conditions

This issue occurs when a 10.2.1 system with an SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' is used on a system running version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, either by upgrading, or by manual UCS installation. This is an example of such a profile. profile serverssl serverssl-low_encryption { defaults from serverssl ciphers "DEFAULT:!HIGH:!MEDIUM" }

Workaround

Search for this cipher 'DEFAULT:!HIGH:!MEDIUM' and modify before upgrading. For information about what value to use, see K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x) :: https://support.f5.com/csp/article/K13156.

Fix Information

None

Behavior Change