Bug ID 529400: An SSL handshake can show `no ciphers selected' in some circumstances

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Jun 23, 2015
Severity: 3-Major
Related Article:
K17577

Symptoms

If an SSL profile is configured with only RSA key/cert pair and only ecdhe-ecdsa ciphers are selected, the configuration did not show an error message. Subsequent SSL handshakes do not succeed and show 'no ciphers selected' error messages.

Impact

All SSL handshakes fail with `no cipher suite selected'.

Conditions

Ecdhe-ecdsa ciphers are selected in the `ciphers' list, but no ecde-ecdsa key and cert is configured in the SSL profile.

Workaround

When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured.

Fix Information

SSL profile configuration now displays an error message indicating configured key/cert type does not match the configured cipher suites.

Behavior Change

The system reports an error message if there are no usable ciphers of the client SSL profile, i.e., the cert/key type of cipher string do not match it or the configured cert/key. In the past the system did not report an error for this invalid configuration.