Bug ID 999097: SSL::profile may select profile with outdated configuration

Last Modified: Dec 05, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2

Fixed In:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5

Opened: Mar 03, 2021
Severity: 3-Major

Symptoms

Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Impact

The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Conditions

iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Workaround

Avoid making changes to a profile that is actively being used by the iRule command.

Fix Information

The system now makes sure that SSL profiles are properly reloaded after changes are made.

Behavior Change