Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
9.4.5, 9.4.6, 9.4.7, 9.4.8, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.6.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: May 16, 2015 Severity: 3-Major Related Article:
K17513
If a change is made in an SSL profile, for example changing the options field to 'No TLSv1.2', a child SSL profile might become invalid silently if its cipher contains only GCM ciphers.
When a parent profile is changed, its children profiles might silently become invalid. A UCS created from this configuration cannot be loaded successfully.
The issue occurs when all of the following conditions are met. 1. Configuration changes (at cipher or options) are made in the parent SSL profile. 2. A child SSL profile has ciphers or options marked as user-specified (that is, values not inherited from parent). 3. The child SSL profile has only GCM ciphers configured in the cipher field, or has 'No TLSv1.2' in the options.
Do not change base SSL profiles.
Now, child SSL profiles are also validated when a configuration change is made to the parent SSL profile, which prevents a silently occurring invalid configuration.