Bug ID 623336: After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1, 11.6.3

Opened: Oct 18, 2016
Severity: 3-Major

Symptoms

When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Impact

Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions. This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Conditions

This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Workaround

On every device affected by this, or on every blade in a VIPRION system affected by this: 1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version: cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt 2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially: touch /service/mcpd/forceload && reboot 3. After reboot, verify that the two files match (they should have the same checksum): md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix Information

When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.

Behavior Change