Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2
Opened: Nov 13, 2020 Severity: 3-Major
A CRL containing a duplicate entry is allowed to be uploaded and attached to a SSL profile (and later attached to a virtual server), causing the virtual server to not process traffic due to 'invalid profile'. A log such as below is seen on LTM logs: warning tmm1[3543]: 01260009:4: 10.1.1.1:52138 -> 10.1.1.2:443: Connection error: hud_ssl_handler:1216: alert(40) invalid profile unknown on VIP /Common/vip-01 The 'invalid profile' message is seen in the LTM log but only after the CRL is attached to the SSL profile and the SSL profile attached to the virtual server, and not when initially uploading the CRL or attaching the CRL to the SSL profile.
Traffic disrupted on the virtual server.
CRL containing duplicate entry.
Don't upload a CRL containing duplicate entries.
None