Bug ID 999097: SSL::profile may select profile with outdated configuration

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2

Fixed In:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5

Opened: Mar 03, 2021

Severity: 3-Major

Symptoms

Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Impact

The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Conditions

iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Workaround

Avoid making changes to a profile that is actively being used by the iRule command.

Fix Information

The system now makes sure that SSL profiles are properly reloaded after changes are made.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips