Operational Defect Database
BugZero found this defect 1318 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 945189
HTTPS monitor fails due to missing ECDHE-RSA-AES256-CBC-SHA
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP Install/Upgrade
BIG-IP LTM
Affected releases:
14.1.2.6
14.1.2.7
14.1.2.8
14.1.3
14.1.3.1
14.1.4
14.1.4.1
14.1.4.2
14.1.4.3
14.1.4.4
14.1.4.5
14.1.4.6
Fixed releases:
No fixed releases provided.
Description:
Symptoms ... After upgrade, the 'DEFAULT' cipher in the server SSL profile attached to the HTTPS monitor does not include the ECDHE-RSA-AES256-CBC-SHA cipher suite in the Client Hello. ... Impact ... 1. Upgrade breaks the SSL pool monitoring. ... 2. It is also possible that the pools monitoring succeeds but with unexpected ciphers from the 'DEFAULT' list which may cause increased resource usage or unexpectedly weaker encryption. ... Note: The ciphers negotiated between the HTTPS backend being monitored and the server SSL profile will still belong to the 'DEFAULT' list. ... Conditions ... After upgrade, HTTPS monitor cipherlist is read from server SSL profile ciphers and set to DEFAULT after upgrade. ... Workaround ... BIG-IP provides ways to customize the cipher string used by the server SSL profile. ... Via the configuration utility: https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-ltm-configuring-custom-cipher-string-for-ssl-negotiation/configuring-a-custom-cipher-string-for-ssl-...
