Bug ID 886049: Mcpd validation for proxy ssl and don't-insert-empty-fragments

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP Install/Upgrade, LTM(all modules)

Fixed In:
16.0.0

Opened: Feb 28, 2020

Severity: 3-Major

Related Article: K000138720

Symptoms

BIG-IP does not check that proxy ssl and don't-insert-empty-fragments do not exist together. According to the manual at https://techdocs.f5.com/kb/en-us/products/BIG-IP_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html ********* Important: For security reasons, when you enable the Proxy SSL setting, the BIG-IP® system automatically disables the Don’t insert empty fragments option. Disabling this option when Proxy SSL is enabled guards against a particular type of cryptographic attack.

Impact

No impact to traffic, but BIG-IQ will reject the BIG-IP configuration since BIG-IQ has this validation.

Conditions

SSL profile with proxy-ssl and option don't-insert-empty-fragments enabled.

Workaround

When proxy-ssl is enabled, disable the option don't-insert-empty-fragments.

Fix Information

BIG-IP now validates proxy-ssl cannot be enabled with don't-insert-empty-fragments. Note that this can cause the configuration to fail to load on an upgrade if you have an ssl profile that has dont-insert-empty-fragments and proxy ssl features enabled at the same time.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips