Bug ID 668624: The Configuration Utility now disables the TLS 1.0 protocol by default

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP All, Install/Upgrade(all modules)

Fixed In:
14.0.0

Opened: Jun 09, 2017

Severity: 3-Major

Symptoms

The TLS 1.0 protocol was removed from the list of SSL protocols allowed by default in the management utility. This impacts the iControl REST API, and if you are using configuration management tools like Ansible (which uses Python) compiled with an older OpenSSL version, this will cause the client to suddenly fail to connect with an error similar to the following: SSLError: EOF occurred in violation of protocol. The protocol defaults can be seen with the following tmsh command: # tmsh list sys httpd ssl-protocol sys httpd { ssl-protocol "all -SSLv2 -SSLv3 -TLSv1" }

Impact

BIG-IP systems refuse to allow TLSv1 connections, so the client will be unable to connect. This will most likely be encountered as a sudden inability to connect after upgrading.

Conditions

This can occur when connecting to the configuration utility, including using the iControl REST API, with an HTTPS client that is not compiled with TLS 1.1 or TLS 1.2 support.

Workaround

While TLS 1.0 can be re-enabled on BIG-IP systems via the 'tmsh modify sys httpd ssl-protocol' command, this is not advised because the protocol is past the end-of-life date. It is highly recommended to upgrade the OpenSSL version on all client devices that connect to the BIG-IP configuration utility.

Fix Information

TLS 1.0 is no longer in the default SSL protocols list, and all SSL clients need to have support for TLS 1.1 or 1.2 or they will be unable to connect.

Behavior Change

The configuration utility no longer allows the TLS 1.0 protocol by default. The following tmsh command shows the before and after settings: Prior to version 14.0.0: # tmsh list sys httpd ssl-protocol sys httpd { ssl-protocol "all -SSLv2 -SSLv3" } Beginning in version 14.0.0: # tmsh list sys httpd ssl-protocol sys httpd { ssl-protocol "all -SSLv2 -SSLv3 -TLSv1" } All clients connecting via SSL must have support for TLS 1.1 or 1.2 or they will be unable to connect.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips