Bug ID 743857: Clientssl accepts non-SSL traffic when cipher-group is configured

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,

Fixed In:

Opened: Sep 12, 2018
Severity: 2-Critical
Related Article:


Clientssl accepts Non-SSL traffic even when "Non-SSL Connections" is disabled.


Connections to VIP with clientssl profile are not encrypted. If SSL client authentication is enabled, plaintext request is successful meaning that client can get access to resources otherwise requiring a valid client certificate.


In clientssl profile, Cipher Group is configured and one of the "No SSL/TLS/DTLS" option is enabled.


Use Cipher String instead of Cipher Group when configuring clientssl profile.

Fix Information

Properly validate cipher suites in a cipher group before use.

Behavior Change