Symptoms

BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html ********* Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.

Impact

No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.

Conditions

SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.

Workaround

When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.

Fix Information

BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments.

Behavior Change