BugZero | F5 BugID 794417 - Modifying enforce-tls-requirements to enabled on t...

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Last updated on December 31st, 2025

BugZero Risk Score
6.7 Medium

Overall: 6.7

Severity: 7.3

Community: 4.2

Lifecycle: 7.0

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: 3-Major
Status: Verified
Impact Category: Local Traffic Manager
Views: 38

Description

Symptoms

On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Impact

The configuration does not load if saved, and reports an error: 01070734:3: Configuration error: In Virtual Server (/Common/http2vs) an http2 profile with enforce-tls-requirements enabled is incompatible with clientssl profile '/Common/my_clientssl'; renegotiation must be disabled.

Conditions

BIG-IP system validation does not prevent this configuration in the following scenario: 1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile. 2. Enable 'TLS Renegotiation' in the Client SSL profile. 3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Workaround

If enabling 'Enforce TLS Requirements' in an HTTP/2 profile configured on a virtual server, ensure that 'TLS Renegotiation' is disabled in all Client SSL profiles on that virtual server.

Fix Information

Added a missing validation check for TLS Renegotiation and Enforce TLS Requirements.

Behavior Change

BIG-IP validation now requires TLS Renegotiation of the SSL profile to be disabled when the TLS Enforcement requirement (RFC7540) is enabled in the HTTP/2 profile

Change history

2025-04-28 Added: 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Relevant Products

Click on a version to see all relevant bugs

Affected versions:13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1

Fixed versions: 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4

Top F5 Defects

9.4Defect ID: 1691489
Traffic does not pass through rSereis FIPS system
9.4Defect ID: 970269
Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"
9.4Defect ID: 1429717
APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request
9.4Defect ID: 2141205
Tpm-status returns: "System Integrity: Invalid" on BIG-IP versions released since October 2025
9.4Defect ID: 1032405
TMUI XSS vulnerability CVE-2021-23037

Ready to prevent the next vendor outage?

Get a demo

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

F5 - Defect ID: 794417

Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Last updated on December 31st, 2025

BugZero Risk Score6.7 Medium

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Behavior Change

Top F5 Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.7 Medium