Bug ID 839121: A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Fixed In:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1

Opened: Oct 16, 2019

Severity: 3-Major

Related Article: K74221031

Symptoms

After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Impact

Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Conditions

The upgrade failure is seen when all the following conditions are met: -- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x. -- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x. (1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf. (2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers (3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Workaround

There are two possible workarounds: -- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config. -- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device: 1. cp /config/bigip.conf /config/backup_bigip.conf 2. Run: sed -i "s/\(\!SSLv2:\|:\!SSLv2\)//g" /config/bigip.conf 3. tmsh load /sys config

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips