Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Fixed In:
11.5.4 HF3
Opened: Sep 06, 2016 Severity: 3-Major
1. Using the GUI or an iControl SOAP call can create invalid client SSL profile containing an empty cert-key-chain. This might occur after following these steps: -- Create new client-ssl cert from the GUI (the web-based UI). -- Check 'Custom' in 'Certificate Key Chain', but do not add anything. -- Click Finished. The system creates the following: ltm profile client-ssl /Common/cssl { app-service none cert none cert-key-chain { "" { } defualt_rsa_ckc { <=== a typo "defualt" cert /Common/default.crt key /Common/default.key } } <snip> } 2. Using the iControl function 'LocalLB::ProfileClientSSL::create_v2' creates a profile with two cert-key-chain objects containing identical cert and key values, but with different names: ltm profile client-ssl my_prof { app-service none cert mycert.crt cert-key-chain { "" { cert mycert.crt key mycert.key } defualt_rsa_ckc { <=== a typo "defualt" cert mycert.crt key mycert.key } } chain none inherit-certkeychain false key mycert.key passphrase none }
Cannot add the invalid client SSL profile to a virtual server.
Creating client SSL profiles using the GUI or the iControl function create_v2().
Remove the invalid client SSL profile and re-create the profile using TMSH or the GUI.
GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' no longer creates an invalid profile when creating client SSL profiles using the iControl function create_v2(). In addition, 'defualt' has been changed to 'default', as expected.