Last Modified: Jun 18, 2019
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.1.4, 18.104.22.168
Opened: Mar 16, 2016
Connection cannot be established when multiple client SSL profiles are attached, and the default client SSL profile Mode is set to disabled.
Connection cannot be established. Setting the default client SSL profile's Mode to disabled effectively disables all SNI processing that would be handled in the other client SSL profiles, which disables all SSL processing on the virtual server.
-- Multiple client SSL profiles are attached to a virtual server. -- The default profile Mode is set to Disabled. For example, this might occur when configuring a virtual server to serve multiple HTTPS sites using the TLS SNI (see K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature :: https://support.f5.com/csp/article/K13452), but you want the fallback to disable SSL processing if the client response does not pass in a matching server name.
HTTPS virtual servers now properly inspect the SNI in ClientHello and match against existing client SSL profiles if the fallback client SSL profile Mode is set to Disabled.