Bug ID 645058: Modifying SSL profiles in GUI may fail when key is protected by passphrase

Last Modified: Jun 20, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM, TMOS(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3, 11.6.3.3

Opened: Feb 15, 2017
Severity: 3-Major
Related AskF5 Article:
K93819312

Symptoms

When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following: 01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read. This can occur even when the passphrase already in the SSL profile is correct.

Impact

User cannot update client SSL profile via the GUI.

Conditions

Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile. Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.: tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Workaround

Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix Information

User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Behavior Change