Forum Discussion
Hi Kevin,
Today we found the issue and wanted to share it on this thread. The issue appears to be a problem with Microsoft AD. Microsoft AD is not behaving correctly when the client requests a TLS1.2 connection, and the AD LDAP certificate is signed with RSA-SHA256.
If the certificate is signed with RSA-SHA1, no problem with TLS1.2.
Although this is appears to be an AD problem, the solution we implemented was to disable TLS1.2 from the protocol list on the server SSL profile. "!TLS1_2"
Now F5 negotiates over TLS1.1 and everything works.
The reason it was working when we did not decrypt at the F5 was because the client application was negotiating using TLS1.1 all along while the F5 was using TLS1.2 when we enabled the serverssl profile.
On a previous post I mentioned one of the scenario with re-encryption was working when plain text on the client side but after today we think we might of got lost in the dozen test cases we had gone through.
Thanks allot for engaging.
Pat