Bug ID 702792: Upgrade creates Server SSL profiles with invalid cipher strings

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
14.0.0, 13.1.1.4

Opened: Jan 19, 2018
Severity: 2-Critical
Related AskF5 Article:
K82327396

Symptoms

Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message: 01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile

Impact

Upgrade creates configurations that are challenging to manage as a result of MCPD validation.

Conditions

Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade. The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list. Note that issues where the configuration fails to load and shows a similar error message may be due to ID705730, see https://cdn.f5.com/product/bugtracker/ID705730.html

Workaround

Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations. For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".

Fix Information

Upgrade no longer creates Server SSL profiles with invalid cipher strings.

Behavior Change