Bug ID 794493: Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed In:
13.1.3

Opened: Jun 17, 2019

Severity: 3-Major

Symptoms

Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example: ltm profile client-ssl example-prof { cert example.crt cert-key-chain { example{ app-service none cert example.crt chain none key example.key passphrase none } } defaults-from intermediate inherit-certkeychain true key example.key } If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error: err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.

Impact

Not able to modify SSL profile if profiles assigned to virtual server. If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.

Conditions

-- Parent profile other than 'clientssl' -- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.: tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key

Workaround

Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile. For profiles that are already affected, you can use either of the following workarounds. Use the GUI: -- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'. Change the configuration file: 1. Save the configuration. 2. Open bigip.conf for editing. 3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'. 4. Load the configuration.

Fix Information

SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips