client-ssl broken

Sounds like buggy behavior. Support case is the way to go.

Keep us posted on what you find out. I was actually just planning to update our F5's to 11.5.1 HF2 from 11.3 HF8 here in two weeks.

I have raised a ticket, will update you on what I find.

I'm seeing a similar issue. I have an open case (since 6/1), but no resolution to date.

I may be missing something, but the only certificate/key values that are used/applied in the client profile are the ones that are explicitly added to the Certificate Key Chain field. You select a cert and key (and optionally a CA chain) and click the Add button. The certificate/key in the drop down select itself is not part of the resulting configuration. This is indeed a different experience than previous versions.

Wow. I thought I was going mad. Yes, the web interface with 11.5.1 HF3 "SEEMS" to be knackered when attempting add an ssl-client entry. Basically, the cert and key entries are ignored UNLESS YOU PRESS THE ADD BUTTON. I was getting a different error with 11.5.0: it was complaining that in invalid key pair was specified, although a manual check using openssh showed that the cert and private key were correct. (heck, I copied them from another web server where they worked...)

Although not fun, I was able to work around the problem my manaully specifying the SSL clients using tmsh. So, this looks like a web management interface problem.

I'm new to F5 Bip IP LTM (background with Cisco ACE, CSM, CSS, etc...) and must say that this really pissed me off as I have wasted over a day first wondering if I was doing something wrong, and then trying to figure out a work-around. Mind you, has been a good learning opportunity as it forced me into tmsh early on...

I would recommend that the interface be modified to do some better data validation. I.e. ensure that the "ADD" button has been pressed before allowing the changes to be committed.

Just noticed this ... want to make sure I'm understanding correctly.

I think what is being said is that, starting with 11.5.1, the dropdown fields (certificate, key, chain) and passphrase field are ONLY used to populate the text field below the Add/Replace buttons. The values shown in those dropdown fields aren't significant in and of themselves - the ONLY value that matters is what's in the text field. Correct?

If so, suggestion would be to simply leave the dropdowns blank (initially) and label the text field something forceful, like "Currently Deployed Certificate/Key/Chain" right next to the field ... it did cause me momentary palpitations that every single client SSL profile had the wrong cert/key (well, all but one :-).

Just noticed this ... want to make sure I'm understanding correctly.

I think what is being said is that, starting with 11.5.1, the dropdown fields (certificate, key, chain) and passphrase field are ONLY used to populate the text field below the Add/Replace buttons. The values shown in those dropdown fields aren't significant in and of themselves - the ONLY value that matters is what's in the text field. Correct?

If so, suggestion would be to simply leave the dropdowns blank (initially) and label the text field something forceful, like "Currently Deployed Certificate/Key/Chain" right next to the field ... it did cause me momentary palpitations that every single client SSL profile had the wrong cert/key (well, all but one :-).