Symptoms
The TLS 1.0 protocol was removed from the list of SSL protocols allowed by default in the management utility.
This impacts the iControl REST API, and if you are using configuration management tools like Ansible (which uses Python) compiled with an older OpenSSL version, this will cause the client to suddenly fail to connect with an error similar to the following: SSLError: EOF occurred in violation of protocol.
The protocol defaults can be seen with the following tmsh command:
# tmsh list sys httpd ssl-protocol
sys httpd {
ssl-protocol "all -SSLv2 -SSLv3 -TLSv1"
}
Impact
BIG-IP systems refuse to allow TLSv1 connections, so the client will be unable to connect. This will most likely be encountered as a sudden inability to connect after upgrading.
Conditions
This can occur when connecting to the configuration utility, including using the iControl REST API, with an HTTPS client that is not compiled with TLS 1.1 or TLS 1.2 support.
Workaround
While TLS 1.0 can be re-enabled on BIG-IP systems via the 'tmsh modify sys httpd ssl-protocol' command, this is not advised because the protocol is past the end-of-life date.
It is highly recommended to upgrade the OpenSSL version on all client devices that connect to the BIG-IP configuration utility.
Fix Information
TLS 1.0 is no longer in the default SSL protocols list, and all SSL clients need to have support for TLS 1.1 or 1.2 or they will be unable to connect.
Behavior Change
The configuration utility no longer allows the TLS 1.0 protocol by default. The following tmsh command shows the before and after settings:
Prior to version 14.0.0:
# tmsh list sys httpd ssl-protocol
sys httpd {
ssl-protocol "all -SSLv2 -SSLv3"
}
Beginning in version 14.0.0:
# tmsh list sys httpd ssl-protocol
sys httpd {
ssl-protocol "all -SSLv2 -SSLv3 -TLSv1"
}
All clients connecting via SSL must have support for TLS 1.1 or 1.2 or they will be unable to connect.
