Forum Discussion
NimbostratusA Lot more failures after TLS1.0 disable
HI all
maybe someone had similar issue and can offer some work around. After disabling TLS1.0 for existing SSL profile i can see much more failures in statistic:
Failures
Premature Disconnects0
Handshake Failures49.1K
Renegotiations Rejected0
Fatal Alerts10.1K
in tcpdump i can see layer 2 problem (that is strange how SSL profile setting can effect that):
before LTM we have firewall with nat, believe need modify some L2 settings but in the same VLAN we still have profiles with TLS1.0 working and it has a lot less failures (~0.1% if we compare with all connections on profile). TLS1.0 disabled profiles has 15-20% failures if we compare with all connections to SSL profile.
thanks for any ideas
3 Replies
Srini_87152Cirrostratus
hi,
F5 dont have any control on upstream devices on which protocol they should communicate , if we block tls1.0 ,upstream device might still communicating on tls1.0 causing high failures.
upstream devices/server/user browser should upgarde the tls version.
Thx
Srini
Stanislas_Piro2Cumulonimbus
How did you disable TLS 1.0
I had a weird behavior when I tried to disable TLS 1.0 in version 12.1.2.
when I enabled No TLSv1 in Options List, it disabled TLS 1.1 and let TLS 1.0 enabled.
Can you scan with SSL LABS your server to see if this is the same behavior?
- aandreyy_293459
Hi I disabled TLS by changing cipher string value in ssl profile. Also scanned site in ssllabs no TLS1.0 for sure. Actually there are no complains from enyone (who suppor higher tls versions) that there are any problem just want be sure those errors nothing serious before going with tls1.0 disable to live.
