Bug ID 885789: Clicking 'Fix Automatically' on PCI Compliance page does not replace non-PCI-compliant-profile with complaint one on HTTP/2 virtual servers

Last Modified: Sep 16, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 16.0.0, 16.0.0.1

Opened: Feb 27, 2020
Severity: 4-Minor

Symptoms

Clicking the 'Fix Automatically' button in the PCI Compliance page does not replace the insecure client SSL profile attached on an HTTP/2 virtual server, with a secure one. The compliance state shows as a red cross mark, indicating the virtual server to be noncompliant.

Impact

The provision for enhanced configuring does not function as expected for HTTP/2-based virtual servers.

Conditions

-- Clicking the 'Fix Automatically' button on the PCI compliance page. -- A noncompliant PCI profile is attached to the HTTP/2 virtual server. -- A PCI-compliant, client SSL profile with renegotiation disabled is available in the SSL profiles.

Workaround

Manually configure a PCI-compliant profile in SSL profiles, with renegotiation disabled, and attach it to the virtual server.

Fix Information

None

Behavior Change