Bug ID 516327: Stricter validation when using http2 profiles

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Fixed In:
12.0.0

Opened: Apr 03, 2015
Severity: 3-Major

Symptoms

In 12.0 extra checks were added to validate a virtual server's configuration: When http2 is using 'activation-modes { alpn npn }' (either alpn or npn or both), there needs to be a clientssl profile on the same virtual server. The change is that it is now checked that that clientssl profile: 1. has 'renegotiation disabled' 2. has a 'ciphers' string that does not exclude the cipher ECDHE-RSA-AES128-GCM-SHA256, which ensures successful TLS connection establishment with all compliant http2 browsers; 'ciphers DEFAULT' meets this requirement. When loading pre-12.0 configuration on a 12.0 system, these checks are temporarily disabled as to avoid upgrade issues. However when this config is saved using 'tmsh save sys config', the configuration will be changed into a 12.0 configuration. When loading this configuration the checks will be enforced and configuration might fail to load. These extra checks are controled by a new parameter in the http2 profile 'enforce-tls-requirements'. The default value is 'enabled'. Because all built-in client-ssl profiles fail to meet these stricter validations, it is likely that virtual servers with http2 (+ alpn and/or npn) cause problems.

Impact

After an upgrade, newly save configuration might not load with an error message like 01070734:3: Configuration error: In Virtual Server (/Common/npn) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/http2_clientssl'; regenotiation must be disabled or 01070734:3: Configuration error: In Virtual Server (/Common/npn) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/http2_clientssl'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions

When upgrading a configuration with a virtual server that uses http2 (with activation-modes alpn and/or npn) from pre-12.0 system to a 12.0 or later system, that configuration will fail to load after saving. Steps: 1. upgrade to 12.0 2. tmsh save sys config 3. tmsh load sys config Step #3 will likely produce the validation error, unless either the clientssl profile is changed to meet the requirements (preferred) or the http2 profile is changed to not enforce these stricter requirements (by setting 'enforce-tls-requirements disabled' in the http 2 profile)

Workaround

Either: - before upgrading change the clientssl profile or - after upgrading and saving the configuartion edit the configuration to change either clientssl or http2 profiles.

Fix Information

Stricter validation makes http2 more secure but pre-12.0 configurations using http2 may need attention.

Behavior Change