Last Modified: Jul 15, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Opened: May 10, 2017 Severity: 3-Major
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following: -- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck -- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.
Normal functionality might be disrupted. Traffic disrupted while tmm restarts. Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.
The key/cert on a profile is modified while ongoing SSL handshakes are holding it. In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.
None