Bug ID 705730: Config fails to load due to invalid SSL cipher after upgrade from v13.1.0

Last Modified: May 01, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed In:
14.0.0

Opened: Feb 07, 2018
Severity: 2-Critical

Symptoms

Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: 'tmsh load sys config' This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').

Impact

The configuration fails to load, an error message is issued, and the device remains offline until a manual config load is performed.

Conditions

-- Config uses 'https' monitors. -- Upgrade occurs from v13.1.0 to a later version.

Workaround

You can use either of the following workarounds: -- After upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config (This works because upon a manual config load command ('tmsh load sys config'), the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device will become 'Active' seconds later, and new default ciphers will be established for 'https' monitors.) -- Remove 'https' monitors prior to upgrade, and add again after upgrade.

Fix Information

Config loads without error after upgrade from v13.1.0.

Behavior Change