Bug ID 581077: Connection cannot be established when multiple client SSL profiles are attached if the default profile is disabled.

Last Modified: Sep 06, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5

Fixed In:
13.0.0

Opened: Mar 16, 2016
Severity: 3-Major

Symptoms

Connection cannot be established when multiple client SSL profiles are attached, and the default client SSL profile Mode is set to disabled.

Impact

Connection cannot be established. Setting the default client SSL profile's Mode to disabled effectively disables all SNI processing that would be handled in the other client SSL profiles, which disables all SSL processing on the virtual server.

Conditions

-- Multiple client SSL profiles are attached to a virtual server. -- The default profile Mode is set to Disabled. For example, this might occur when configuring a virtual server to serve multiple HTTPS sites using the TLS SNI (see K13452: Configuring a virtual server to serve multiple HTTPS sites using the TLS Server Name Indication feature :: https://support.f5.com/csp/article/K13452), but you want the fallback to disable SSL processing if the client response does not pass in a matching server name.

Workaround

None.

Fix Information

HTTPS virtual servers now properly inspect the SNI in ClientHello and match against existing client SSL profiles if the fallback client SSL profile Mode is set to Disabled.

Behavior Change