Bug ID 644489: Unencrypted iSession connection established even though data-encrypt configured in profile

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AAM, WOM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1, 11.6.2

Opened: Feb 10, 2017
Severity: 3-Major
Related AskF5 Article:
K14899014

Symptoms

iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Impact

An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Conditions

Either of two scenarios can result in an unencrypted iSession connection being established: 1) An error occurs during dynamic server-ssl profile replacement. 2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles. In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Workaround

Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix Information

The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs: 1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles. 2) An error occurs during dynamic server-ssl profile replacement.

Behavior Change