Last Modified: Dec 07, 2023
Affected Product(s):
BIG-IP TMOS
Opened: Dec 19, 2016 Severity: 3-Major
When there are multiple cert-key-chain configured in a clientSSL profile, the cert and key outside of the cert-key-chain block could become none, as shown below. ltm profile client-ssl ckc2 { app-service none cert none <================== none cert-key-chain { dsa1 { cert dsa1.crt key dsa1.key } rsa1 { cert default.crt key default.key } } chain none defaults-from clientssl inherit-certkeychain false key none <================== none passphrase none } The cert and key outside of the cert-key-chain block are supposed to be the same as in the RSA cert-key-chain. In the above example, the cert and key that display as "none" are supposed to be "default.crt" and "default.key" respectively.
The impact varies. When this kind of configuration is seen, it could lead to config sync failure, upgrade failure, incorrect validation error, or no impact.
When there are multiple cert-key-chain configured in a clientSSL profile. For example, there could be one RSA cert-key-chain and one DSA cert-key-chain configured in a clientSSL profile.
Edit /config/bigip.conf and change the cert and key from none to be the same as in the RSA cert-key-chain. And then do "tmsh load sys conf" ltm profile client-ssl ckc2 { app-service none cert default.crt <======= changed from none cert-key-chain { dsa1 { cert dsa1.crt key dsa1.key } rsa1 { cert default.crt key default.key } } chain none defaults-from clientssl inherit-certkeychain false key default.key <======= changed from none passphrase none }
None