Bug ID 651067: SSL/TLS-based monitors now use ServerSSL profiles

Last Modified: Dec 24, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Fixed In:
13.1.0

Opened: Mar 13, 2017
Severity: 3-Major

Symptoms

The configuration of SSL/TLS-based monitors might differ from how SSL/TLS is configured for other objects, such as SSL/TLS-based virtual servers.

Impact

Inconsistent configuration.

Conditions

This applies to SSL/TLS-based monitors.

Workaround

None.

Fix Information

In this release, instead of specifying ciphers, certificates, keys, and SSL options via explicit parameters, an SSL-based monitor (HTTPS/TCP plus SSL) is configured with a ServerSSL Profile. This profile contain all of the necessary settings. The ciphers, certificates, and keys are directly analogous to the those in the previous method of monitor configuration. SSL/TLS options may be specified in a more fine-grained fashion than the previous method, which enabled all compatibility options, or disabled all of them.

Behavior Change

Previous versions of LTM monitors used explicit SSL/TLS settings for ciphers, certificates, and keys, as well as whether to enable compatibility options. In all prior releases, SSL options on HTTPS monitors were specified explicitly. With this change, HTTPS monitors get their SSL options from a named Server SSL Profile. The following options are retrieved from the profile: -- Cipher string or cipher group. -- Optional certificate and/or key. -- SSL Options. In prior releases, a compatibility flag could be enabled or disabled. When enabled, it turned on all SSL compatibility options; when disabled, all were turned off. With this change, individual SSL options can be specified in the profile.