Last Modified: Jul 12, 2023
BIG-IP All, Install/Upgrade
Known Affected Versions:
13.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 13.1.1, 184.108.40.206, 220.127.116.11
Opened: Jan 19, 2018 Severity: 2-Critical Related Article:
Related Article: K82327396
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message: 01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.
Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade. The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list. Note that issues where the configuration fails to load and shows a similar error message may be due to ID705730, see https://cdn.f5.com/product/bugtracker/ID705730.html
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations. For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".
Upgrade no longer creates Server SSL profiles with invalid cipher strings.