Bug ID 610417: Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.6.0, 11.6.1, 11.6.2, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2 HF1, 11.6.3, 11.5.6

Opened: Aug 11, 2016

Severity: 3-Major

Related Article: K54511423

Symptoms

When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2 If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Impact

Unable to configure stronger ciphers for device trust. If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Conditions

This exists when configuring devices in a device cluster.

Workaround

None.

Fix Information

Advertised client ciphers reduced to what the common criteria compliance standard approves. Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips