Bug ID 802245: When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.7

Opened: Jul 03, 2019
Severity: 3-Major

Symptoms

The last provided cipher suite in the list is chosen if HTTP/2 is negotiated and not matched.

Impact

The least-secure cipher suite would be selected.

Conditions

-- HTTP/2 negotiation is enabled. -- The provided cipher suites are not matched.

Workaround

Put the most secure cipher suite in the end of the list.

Fix Information

Now the most secure cipher suite is selected regardless of the order in the list.

Behavior Change