Bug ID 527649: Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0, 11.5.3 HF2

Opened: Jun 12, 2015
Severity: 2-Critical

Symptoms

Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if the upgraded cipherstring would effectively contain no ciphersuites.

Impact

The system changes 'COMPAT' to 'DEFAULT'. Upgrade posts a warning similar to the following: WARNING: ciphers in clientssl profile TheProfile has been reset to DEFAULT from MD5. This occurs because the BIG-IP software version 12.0.0 COMPAT set is empty by default. To prevent security issues and upgrade failures due to an empty ciphersuite, the upgrade operation replaces 'COMPAT' with 'DEFAULT'. This is not considered a software defect, but instead assists users with maintenance of ciphersuites. It is expected that some legacy ciphersuites will be removed from default sets in major releases of BIG-IP system software, which might require user action to account for this change.

Conditions

This is relevant when the following conditions are met: * Upgrading to version 12.0.0. * Client/server SSL profile is configured with the COMPAT keyword.

Workaround

Because the upgrade script replaces the configured cipherstring, you should determine whether 'DEFAULT' is a suitable set of ciphersuites, and make necessary adjustments. For more information, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html. Best practice recommends periodic review of the enabled cipherstrings that are considered secure, since these change over time. Such a review should prevent future occurrence of the condition.

Fix Information

None

Behavior Change