Bug ID 705730: Config fails to load due to invalid SSL cipher after upgrade from v13.1.0

Last Modified: Jun 10, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1

Fixed In:
14.0.0

Opened: Feb 07, 2018
Severity: 2-Critical
Related AskF5 Article:
K31992159

Symptoms

Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: tmsh load sys config This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').

Impact

The configuration fails to load, an error message is issued, and the device remains offline until a manual config load and/or edit is performed.

Conditions

-- Upgrade occurs from v13.1.0 to a later version, and either of the following: -- Config uses 'https' monitors. -- Config uses SSL profiles that have the 'kEDH' cipher listed.

Workaround

-- Remove 'https' monitors (and any existing SSL profiles that used the kEDH cipher) prior to upgrade, and add again after upgrade. -- Remove any unsupported +kEDH strings from server SSL profiles. -- If there are no unsupported ciphers such as +kEDH in any server SSL profiles, then after upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config (This works because upon a manual config load command, 'tmsh load sys config', the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device becomes 'Active' seconds later, and new default ciphers are established for 'https' monitors.)

Fix Information

Config loads without error after upgrade from v13.1.0.

Behavior Change