Forum Discussion

MrVJTod_64267's avatar
MrVJTod_64267
Icon for Nimbostratus rankNimbostratus
Jan 25, 2018

SSL certs reset to default on 12.1.3 with client profile change

Since I updated all of my boxes to 12.1.3, I've realized that SSL certificates are dropped from my SSL profiles each time I make a change to an SSL Client profile.

 

If I modify the ciphers or enable/disable SSL options, after the save, the "Certificate Key Chain" resets to the default ssl certificate, which doesn't validate anything.

 

I can always re-add the certs to my profile, it's just a hassle that it resets with every save.

 

I'd open a support request, but I'm not really hurting by this issue. It's just a hassle.

 

LTM
security

11 Replies

Sort By
Show More
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Jan 28, 2018

    Personally, I'd only ever request engineering hotfixes for severe issues where user-side configuration adjustments do not suffice, i.e. memory leaks.

     

    In this case, where a minor option change in the client-SSL profile may introduce a public-facing and possibly catastrophic reconfiguration of the security aspects of the profile, I'd recommend the EHF - if an administrator is not aware of the risks introduced by ID701626, then the potential risks can be high.

     

    With ENG-HF, until the issue at hand is addressed in main release cycle, you will miss out on security updates and other bug fixes.

     

    F5 Support is perfectly willing to regenerate EHFs against new releases until an ID is fully integrated into the mainstream release. However, the new EHF does need to be requested, and there may be short delays after a new release for the specific EHF to be built.