Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF3
Opened: Oct 08, 2015 Severity: 3-Major Related Article:
K31840725
SSL performs cipher selection and ALPN protocol selection independently. It is possible that SSL picks a cipher that is not compatible with HTTP/2. This causes an issue where either the client or the BIGIP will refuse a newly established HTTP/2 connection with error INSUFFICIENT_SECURITY.
Client or the BIG-IP system refuses a newly established HTTP/2 connection with error INSUFFICIENT_SECURITY.
SSL picks a cipher that is not compatible with HTTP/2, but picks HTTP/2 (h2) as the next protocol.
Make sure HTTP/2 ciphers always come before non HTTP/2 ciphers. This is not the case with the DEFAULT cipher string. HTTP/2 requires TLS 1.2 (or above) Ephemeral keys (EDH/RSA, ECDHE_ECDSA, ECDHE_RSA, DHE/DSS) GCM (AES-GCM).
In this release, HTTP/2 ciphers always come before non HTTP/2 ciphers, at the top of the list, so they always in sync and do not result in connection errors.