Bug ID 645206: Missing cipher suites in outgoing LDAP TLS ClientHello

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 12.0.0

Fixed In:
13.1.0

Opened: Feb 15, 2017
Severity: 3-Major
Related Article:
K23105004

Symptoms

BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Impact

Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Conditions

You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Workaround

Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.

Fix Information

The BIG-IP system now supports SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). You also see the same behavior for the BIG-IP system auth by way of LDAP or AD when TLS is used.

Behavior Change

The BIG-IP system now supports SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). You also see the same behavior for the BIG-IP system auth by way of LDAP or AD when TLS is used.