Bug ID 839121: A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Last Modified: Oct 27, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 16.0.0, 16.0.0.1

Opened: Oct 16, 2019
Severity: 3-Major

Symptoms

After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Impact

Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Conditions

The upgrade failure is seen when all the following conditions are met: -- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x. -- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x. (1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf. (2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers (3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Workaround

There are two possible workarounds: -- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config. -- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device: 1. cp /config/bigip.conf /config/backup_bigip.conf 2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf 3. tmsh load /sys config

Fix Information

None

Behavior Change