Bug ID 964673: CRL with duplicate entries is allowed to be uploaded, but later unable to pass traffic due to 'invalid profile'

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Opened: Nov 13, 2020

Severity: 3-Major

Symptoms

A CRL containing a duplicate entry is allowed to be uploaded and attached to a SSL profile (and later attached to a virtual server), causing the virtual server to not process traffic due to 'invalid profile'. A log such as below is seen on LTM logs: warning tmm1[3543]: 01260009:4: 10.1.1.1:52138 -> 10.1.1.2:443: Connection error: hud_ssl_handler:1216: alert(40) invalid profile unknown on VIP /Common/vip-01 The 'invalid profile' message is seen in the LTM log but only after the CRL is attached to the SSL profile and the SSL profile attached to the virtual server, and not when initially uploading the CRL or attaching the CRL to the SSL profile.

Impact

Traffic disrupted on the virtual server.

Conditions

CRL containing duplicate entry.

Workaround

Don't upload a CRL containing duplicate entries.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips