Bug ID 702792: Upgrade creates Server SSL profiles with invalid cipher strings

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Jan 19, 2018

Severity: 2-Critical

Related Article: K82327396


Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This does not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration fails with the following message: 01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile


Upgrade creates configurations that are challenging to manage as a result of MCPD validation.


Custom HTTPS monitors configured prior to an upgrade result in these profiles being created during the upgrade. The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list. Note that issues where the configuration fails to load and shows a similar error message may be due to ID705730, see https://cdn.f5.com/product/bugtracker/ID705730.html


Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations. For instance, use "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".

Fix Information

Upgrade no longer creates Server SSL profiles with invalid cipher strings.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips