Client-SSL Profile Error: "SSL forward proxy RSA CA key is missing"??

That's the weird thing though - SSL forward proxy is disabled. I'm sending the following payload to the endpoint "https://my.f5.com/mgmt/tm/ltm/profile/client-ssl":

{
    "name": "cssl_my_default",
    "partition": "Common",
    "alertTimeout": "10",
    "allowDynamicRecordSizing": "disabled",
    "allowNonSsl": "disabled",
    "appService": "none",
    "bypassOnClientCertFail": "disabled",
    "bypassOnHandshakeAlert": "disabled",
    "cacheSize": 262144,
    "cacheTimeout": 3600,
    "cert": "/Common/mycrt",
    "certExtensionIncludes": [
        "basic-constraints",
        "subject-alternative-name"
    ],
    "certLifespan": 30,
    "certLookupByIpaddrPort": "disabled",
    "chain": "/Common/entrust_certification_authority_-_l1k",
    "cipherGroup": "none",
    "ciphers": "DEFAULT",
    "defaultsFrom": "/Common/clientssl",
    "description": "::dev:: none",
    "genericAlert": "enabled",
    "handshakeTimeout": "10",
    "inheritCertkeychain": "false",
    "key": "/Common/mykey",
    "maxActiveHandshakes": "indefinite",
    "maxAggregateRenegotiationPerMinute": "indefinite",
    "maxRenegotiationsPerMinute": 5,
    "maximumRecordSize": 16384,
    "modSslMethods": "disabled",
    "mode": "enabled",
    "notifyCertStatusToVirtualServer": "disabled",
    "ocspStapling": "disabled",
    "tmOptions": [
        "dont-insert-empty-fragments"
    ],
    "peerNoRenegotiateTimeout": "10",
    "proxyCaCert": "none",
    "proxyCaKey": "none",
    "proxySsl": "disabled",
    "proxySslPassthrough": "disabled",
    "renegotiateMaxRecordDelay": "indefinite",
    "renegotiatePeriod": "indefinite",
    "renegotiateSize": "indefinite",
    "renegotiation": "enabled",
    "secureRenegotiation": "require",
    "serverName": "none",
    "sessionMirroring": "disabled",
    "sessionTicket": "disabled",
    "sessionTicketTimeout": 0,
    "sniDefault": "false",
    "sniRequire": "false",
    "sslForwardProxy": "disabled",
    "sslForwardProxyBypass": "disabled",
    "sslSignHash": "any",
    "strictResume": "disabled",
    "uncleanShutdown": "enabled"
}

Hi Satoshi,

I figured out the issue, and it's pretty annoying: our client SSL profiles had SSL forward proxy disabled, however there were options in that section that had the custom value checkbox selected, even though they were still the default values. After I unchecked those boxes, the keys were removed from the JSON and I could migrate the profile without issue.

The annoying bit about this is that despite SSL forward proxy being disabled, associated key/value pairs are being validated because the custom checkbox was checked. I would think that if SSL forward proxy is disabled, related key/value pairs wouldn't show up in the JSON data, let alone be validated.

Thanks for looking into the issue, though. I hope all is well on your end!

Cheers!

Also, regarding v.14 and tmOptions, apparently you have to use a cipher group if you want to disable "No TLSv1.3" (this is enabled by default). Here's why this is annoying:

1) "No TLSv1.3" isn't available in v.13, so if you use a cipher string in v.13 client SSL profiles instead of a cipher group, you can't migrate your profile to v.14 via the API without throwing an error saying that the option must be enabled if you aren't using a cipher group. You either have to add that option to the tmOptions value list or create the cipher group on your target BIG-IP beforehand.

2) If I'm not mistaken, you can recreate a cipher string as a cipher group, so your string and group could be virtually the same. Why would the system then require a cipher group if you don't want disable TLSv1.3?