Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 11.6.1 HF1, 11.5.4 HF2
Opened: Jan 26, 2016 Severity: 3-Major Related Article:
K78448635
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.
The issue is seen when all the below conditions are met. 1. When more than one certkeychains are configured in the clientSSL profile. 2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }". 3. Performs config sync in HA setup.
Basically reconfigure certkeychain but avoid modifying the content. 1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration. 2. Config sync, so that both systems have only the RSA certkeychain. 3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain. 4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.
None