Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Feb 07, 2018 Severity: 2-Critical Related Article:
K31992159
Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: tmsh load sys config This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').
The configuration fails to load, an error message is issued, and the device remains offline until a manual config load and/or edit is performed.
-- Upgrade occurs from v13.1.0 to a later version, and either of the following: -- Config uses 'https' monitors. -- Config uses SSL profiles that have the 'kEDH' cipher listed.
-- Remove 'https' monitors (and any existing SSL profiles that used the kEDH cipher) prior to upgrade, and add again after upgrade. -- Remove any unsupported +kEDH strings from server SSL profiles. -- If there are no unsupported ciphers such as +kEDH in any server SSL profiles, then after upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config (This works because upon a manual config load command, 'tmsh load sys config', the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device becomes 'Active' seconds later, and new default ciphers are established for 'https' monitors.)
Config loads without error after upgrade from v13.1.0.