Bug ID 811333: Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile

Last Modified: Oct 16, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0

Fixed In:
15.0.1, 14.1.2

Opened: Jul 31, 2019
Severity: 3-Major

Symptoms

After upgrade, configuration load fails and the following error is present in /var/log/ltm log: 01070312:3: Invalid keyword 'sslv2' in ciphers list for profile /Common/serverssl-insecure-compatible Unexpected Error: Loading configuration process failed.

Impact

The config is not loaded, and upgrade fails.

Conditions

-- BIG-IP system with SSLv2 as ciphers option in SSL profile running software v12.x/v13.x. -- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.

Workaround

If you are encountering this after upgrading, run the following commands from the bash prompt: 1. Backup the configuration: #cp /config/bigip.conf /config/bigip_backup.conf 2. List the occurrences of 'sslv2' in the bigip.conf: #more bigip.conf | grep -i sslv2 3. Remove the SSLv2 references: #sed -i "s/\!SSLv2://g" /config/bigip.conf 4. Check to ensure there are no 'sslv2' references: #more bigip.conf | grep -i sslv2 5. Verify the configuration: #tmsh load sys config verify 6. Try loading the configuration: #tmsh load sys config

Fix Information

SSLv2 validation is removed from the configuration and upgrade succeeds.

Behavior Change