Bug ID 886049: Mcpd validation for proxy ssl and don't-insert-empty-fragments

Last Modified: Nov 14, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Fixed In:
16.0.0

Opened: Feb 28, 2020
Severity: 3-Major

Symptoms

BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html ********* Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.

Impact

No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.

Conditions

SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.

Workaround

When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.

Fix Information

BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments.

Behavior Change