BugZero | F5 BugID 794417 - Modifying enforce-tls-requirements to enabled on t...

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Last updated on 5/29/2024

Overall: 7.17.1

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.17.1

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: Local Traffic Manager

Overall: 7.17.1

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.17.1

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: Local Traffic Manager

Symptoms

On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Impact

The configuration does not load if saved, and reports an error: 01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Conditions

BIG-IP system validation does not prevent this configuration in the following scenario: 1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile. 2. Enable 'TLS Renegotiation' in the Client SSL profile. 3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Workaround

If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix Information

Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change

BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile

Original Vendor Announcement

9.85Defect ID: 1927557
Blades are not upgraded after partition upgraded to 1.8.1 from 1.8.0 EHF build
9.85Defect ID: 1496269
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
9.45Defect ID: 1474081
Central Manager upgrade fails, leaving VM in maintenance mode
9.45Defect ID: 970269
Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"
9.45Defect ID: 1785385
ICMP traffic failures when tenant is running BIG-IP v17.1.2 or above

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Last updated on 5/29/2024

Vendor details

Vendor details

Description

Symptoms

Impact

Conditions

Workaround

Fix Information

Behavior Change

Links

Top F5 defects by risk score

Ready to prevent the next vendor outage?