Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AAM, WOM
Known Affected Versions:
11.6.0, 11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.2 HF1, 11.6.2
Opened: Feb 10, 2017 Severity: 3-Major Related Article:
K14899014
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.
Either of two scenarios can result in an unencrypted iSession connection being established: 1) An error occurs during dynamic server-ssl profile replacement. 2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles. In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs: 1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles. 2) An error occurs during dynamic server-ssl profile replacement.