Last Modified: Apr 10, 2019
See more info
BIG-IP All, Install/Upgrade
Known Affected Versions:
11.6.1, 11.6.0, 11.5.3, 11.5.2, 11.5.1
12.0.0, 11.5.3 HF2
Opened: Jun 12, 2015
Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if the upgraded cipherstring would effectively contain no ciphersuites.
The system changes 'COMPAT' to 'DEFAULT'. Upgrade posts a warning similar to the following: WARNING: ciphers in clientssl profile TheProfile has been reset to DEFAULT from MD5. This occurs because the BIG-IP software version 12.0.0 COMPAT set is empty by default. To prevent security issues and upgrade failures due to an empty ciphersuite, the upgrade operation replaces 'COMPAT' with 'DEFAULT'. This is not considered a software defect, but instead assists users with maintenance of ciphersuites. It is expected that some legacy ciphersuites will be removed from default sets in major releases of BIG-IP system software, which might require user action to account for this change.
This is relevant when the following conditions are met: * Upgrading to version 12.0.0. * Client/server SSL profile is configured with the COMPAT keyword.
Because the upgrade script replaces the configured cipherstring, you should determine whether 'DEFAULT' is a suitable set of ciphersuites, and make necessary adjustments. For more information, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html. Best practice recommends periodic review of the enabled cipherstrings that are considered secure, since these change over time. Such a review should prevent future occurrence of the condition.