Bug ID 581077: Connection can’t be established when multiple clientssl profiles are attached if the default profile is disabled.

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1

Fixed In:
13.0.0

Opened: Mar 16, 2016
Severity: 3-Major

Symptoms

Connection can't be established when multiple clientssl profiles are attached and the default clientssl profile Mode is set to disabled.

Impact

Setting the default clientssl profile's Mode to disabled effectively disables all SNI processing that would be handled in the other clientssl profiles, which disables all SSL processing on the virtual server.

Conditions

This can occur when configuring a virtual server to serve multiple HTTPS sites using the TLS SNI (see https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html), but you want the fallback to disable ssl processing if the client does not pass in a matching server name.

Workaround

None.

Fix Information

HTTPS virtual servers will now properly inspect the SNI in ClientHello and match against existing clientssl profiles if the fallback clientssl profile Mode is set to Disabled.

Behavior Change