Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Fixed In:
16.0.0
Opened: Feb 28, 2020 Severity: 3-Major Related Article:
K000138720
BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html ********* Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.
No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.
SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.
When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.
BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments. Note that this can cause the configuration to fail to load on an upgrade if you have an ssl profile that has dont-insert-empty-fragments and proxy ssl features enabled at the same time.