Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP LTM
Fixed In:
13.1.0
Opened: Mar 13, 2017 Severity: 3-Major
The configuration of SSL/TLS-based monitors might differ from how SSL/TLS is configured for other objects, such as SSL/TLS-based virtual servers.
Inconsistent configuration.
This applies to SSL/TLS-based monitors.
None.
In this release, instead of specifying ciphers, certificates, keys, and SSL options via explicit parameters, an SSL-based monitor (HTTPS/TCP plus SSL) is configured with a ServerSSL Profile. This profile contain all of the necessary settings. The ciphers, certificates, and keys are directly analogous to the those in the previous method of monitor configuration. SSL/TLS options may be specified in a more fine-grained fashion than the previous method, which enabled all compatibility options, or disabled all of them.
Previous versions of LTM monitors used explicit SSL/TLS settings for ciphers, certificates, and keys, as well as whether to enable compatibility options. In all prior releases, SSL options on HTTPS monitors were specified explicitly. With this change, HTTPS monitors get their SSL options from a named Server SSL Profile. The following options are retrieved from the profile: -- Cipher string or cipher group. -- Optional certificate and/or key. -- SSL Options. In prior releases, a compatibility flag could be enabled or disabled. When enabled, it turned on all SSL compatibility options; when disabled, all were turned off. With this change, individual SSL options can be specified in the profile.