Forum Discussion
brepav123_22459
Cirrus
CirrusChange client TLS version through F5 server connection
Hi all, ive been presented with a challenge from our team here. We have an Oracle system that only supports connections up to TLS version 1.0. However one of the sites Oracle interacts with requires us to use TLS 1.2. Our thought was to use the F5 as a proxy for that connection. From the client (Oracle) to the F5 would be TLS version 1.0, then the connection from the F5 to the server (external website) would be TLS version 1.2. However in the testing ive done the F5 seems to pass through whatever TLS connection the client chooses. I've tested this by navigating to a TLS test page (through the F5) and seeing the server connection show the version as 1.0. Is there any way or trick to make the F5 connection to the server 1.2 then the connection to the client 1.0?
Thanks in advance for any and all replies!
Faruk_AYDINNimbostratus
Use in client SSL profile TLSv1 and in server SSL profile TLSv1_2.
tmsh create /ltm profile client-ssl ciphers TLSv1tmsh create /ltm profile server-ssl ciphers TLSv1_2
Brad_ParkerYou will need both a server and client SSL profile similar to what farukaydin put above, but you don't necessarily need to force TLSv1.2 on the client profile nor TLSv1.0 on the server profile. They will negotiate independent of each other as long as you DO NOT select Proxy SSL in the profile. Remember BIG-IP is full proxy from the get go so just applying a client and server SSL profile each SSL connection will be negotiate independently.
Maskman_58643Hi,
I have exactly the same problem. I want to know if there is something to do in the Oracle application to make him contact the F5 machine to do the job except a routing (route the application to the Gateway of the F5) ?
Thanks in advance. Regards,