Forum Discussion
NimbostratusChange the default SSL version in F5
Hi Guys,
I am getting an error where F5 is initiating SSL handshake but not getting any response from server. When I checked with server team, they told F5 is sending SSLv3 and SSLv3 is disabled on server that's the reason handshake is not getting completed. below is the snapshot of it.
Server team is using TLS1.0,1.1 and 1.2. Is there any way, I can enable the same version on F5 but it should not impact other VIP which is already running on it.
successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1):
SmithyCirrostratus
Sounds like you are using an older version of BIG-IP that has SSLv3 enabled. See: https://support.f5.com/csp/article/K13171.
Regardless, the older versions BIG-IPs support TLS unless it has been explicitly disabled in the Cipher String on the Server SSL Profile: https://support.f5.com/csp/article/K14806
- Nilesh_Dubey_36
Hi Brett,
Thanks for your response. I am using version 12.1.1 firmware. I don't think it is too old. I am not using standard VIP, using performance layer4. Is there any way, I can change the SSL version only for this VIP.
Thanks, Nilesh
- Nilesh_Dubey_36
I read an article to change the SSL version of a particular VIP but in my case its not applicable as I am using performance layer 4 VIP not a standard one.
Is there any way I can modify the SSL version of performance layer 4 VIP?
Thanks, Nilesh
- Kevin_Stewart
Employee
You cannot change the SSL behavior of a performance layer 4 VIP, because performance layer 4 VIPs don't have SSL settings.
If you do indeed have a performance L4 VIP configured, then IT IS NOT doing anything with the encryption between the client and server. You should probably do an ssldump on both sides of the VIP (client side and server side) to verify the SSL handshake traffic.
- Nilesh_Dubey_36
Hi Kavin,
Thanks for the response. I will run the SSLdump and check the SSL handshake traffic.
Regards, Nilesh
