Bug ID 802245: When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.7

Opened: Jul 03, 2019

Severity: 3-Major

Symptoms

The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.

Impact

The least-secure cipher suite would be selected.

Conditions

-- HTTP/2 negotiation is enabled. -- The provided cipher suites are not matched.

Workaround

Put the most secure cipher suite in the end of the list.

Fix Information

Now the most secure cipher suite is selected regardless of the order in the list.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips