Bug ID 516327: Stricter validation when using HTTP/2 profiles

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Fixed In:
12.0.0

Opened: Apr 03, 2015
Severity: 3-Major

Symptoms

In v12.0.0 , extra checks were added to validate a virtual server's configuration: When HTTP/2 is using 'activation-modes { alpn npn }' (either alpn or npn or both), there needs to be a client SSL profile on the same virtual server. The change is that it is now checked that that client SSL profile: 1. Has 'renegotiation disabled' 2. Has a 'ciphers' string that does not exclude the cipher ECDHE-RSA-AES128-GCM-SHA256, which ensures successful TLS connection establishment with all compliant HTTP/2 browsers; 'ciphers DEFAULT' meets this requirement. When loading pre-v12.0.0 configurations on a v12.0.0 system, these checks are temporarily disabled to avoid upgrade issues. However when this configuration is saved using 'tmsh save sys config', the configuration changes into a v12.0.0 configuration. When loading this configuration the checks are enforced, and configuration might fail to load. These extra checks are controlled by a new parameter in the HTTP/2 profile 'enforce-tls-requirements'. The default value is 'enabled'. Because all built-in client SSL profiles fail to meet these stricter validations, it is likely that virtual servers with HTTP/2 (+ alpn and/or npn) cause problems.

Impact

After an upgrade, the newly saved configuration might not load, presenting error messages similar to the following: -- 01070734:3: Configuration error: In Virtual Server (/Common/npn) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/http2_clientssl'; regenotiation must be disabled -- 01070734:3: Configuration error: In Virtual Server (/Common/npn) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/http2_clientssl'; cipher ECDHE-RSA-AES128-GCM-SHA256 must be available

Conditions

When upgrading a configuration with a virtual server that uses HTTP/2 (with activation-modes alpn and/or npn) from pre-v12.0.0 system to a v12.0.0 or later system, that configuration fails to load after saving. Steps: 1. Upgrade to v12.0.0 or later. 2. Run the command: tmsh save sys config 3. Run the command: tmsh load sys config Step #3 likely produces the validation error, unless either the client SSL profile is changed to meet the requirements (preferred) or the HTTP/2 profile is changed to not enforce these stricter requirements (by setting 'enforce-tls-requirements disabled' in the HTTP/2 profile).

Workaround

You can use either of the following workarounds: -- Before upgrading change the client SSL profile. -- After upgrading and saving the configuration edit the configuration to change either client SSL or HTTP/2 profiles.

Fix Information

Stricter validation makes HTTP/2 more secure, but pre-v12.0.0 configurations using HTTP/2 may need attention.

Behavior Change