Change the default SSL version in F5

Question

Hi Guys,&nbsp;
I am getting an error where F5 is initiating SSL handshake but not getting any response from server.
When I checked with server team, they told F5 is sending SSLv3 and SSLv3 is disabled on server that's the reason handshake is not getting completed. below is the snapshot of it.&nbsp;
Server team is using TLS1.0,1.1 and 1.2. Is there any way, I can enable the same version on F5 but it should not impact other VIP which is already running on it. &nbsp;
successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):&nbsp;

smithy · Answer

Sounds like you are using an older version of BIG-IP that has SSLv3 enabled. See: https://support.f5.com/csp/article/K13171.&nbsp;
Regardless, the older versions BIG-IPs support TLS unless it has been explicitly disabled in the Cipher String on the Server SSL Profile: https://support.f5.com/csp/article/K14806&nbsp;

nilesh_dubey_36 · Answer

Hi Brett,&nbsp;
Thanks for your response.
I am using version 12.1.1 firmware. I don't think it is too old. 
I am not using standard VIP, using performance layer4. Is there any way, I can change the SSL version only for this VIP.&nbsp;
Thanks,
Nilesh &nbsp;

nilesh_dubey_36 · Answer

I read an article to change the SSL version of a particular VIP but in my case its not applicable as I am using performance layer 4 VIP not a standard one.&nbsp;
Is there any way I can modify the SSL version of performance layer 4 VIP?  
&nbsp;
Thanks,
Nilesh &nbsp;

kevin_stewart · Answer

You cannot change the SSL behavior of a performance layer 4 VIP, because performance layer 4 VIPs don't have SSL settings.&nbsp;
If you do indeed have a performance L4 VIP configured, then IT IS NOT doing anything with the encryption between the client and server. You should probably do an ssldump on both sides of the VIP (client side and server side) to verify the SSL handshake traffic.&nbsp;

nilesh_dubey_36 · Answer

Hi Kavin,&nbsp;
Thanks for the response.
I will run the SSLdump and check the SSL handshake traffic.&nbsp;
Regards,
Nilesh &nbsp;

Forum Discussion

Change the default SSL version in F5

5 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

What configuration issue am I experiencing with this 130-domain VS ?

Ivanti MDM Core & F5 LTM/ASM with mTLS

F5 BIGIP & XC certbot plugin

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

F5 radius login not working

Related Content

Introducing Rülbased - version your iRules on BIG-IP!

change default admin user name on F5

Using Cloud Templates to Change BIG-IP Versions - Azure

Using Cloud Templates to Change BIG-IP Versions - AWS

Using Cloud Templates to Change BIG-IP Versions - Google GCP