Last Modified: Nov 14, 2022
Affected Product:
See more info
BIG-IP LTM
Fixed In:
16.0.0
Opened: Feb 28, 2020
Severity: 3-Major
BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html ********* Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.
No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.
SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.
When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.
BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments.