Jeff_Williams_4
Jun 24, 2014Nimbostratus
Disable Supported Elliptic Curves Extension from server
Hi,
We see that our F5 load balancer running BIG-IP 11.5.1 Build 2.0.121 Hotfix HF2, is sending the extension for "elliptic curves" (id=10). For example, this is an extract from a debug using the command:
$ openssl s_client -tls1 -tlsextdebug -state -debug -connect server:443
...
TLS server extension "renegotiation info" (id=65281), len=1
0001 -
TLS server extension "elliptic curves" (id=10), len=4
0000 - 00 02 00 17 ....
TLS server extension "EC point formats" (id=11), len=2
...
The problem is that the elliptic curves extension is a Client Hello extension and not a Server Hello extension according to http://tools.ietf.org/html/rfc4492. This causes some clients (in particular, versions of GNU TLS) to fail to connect. GNU TLS has been updated to tolerate this behaviour (https://www.gitorious.org/gnutls/gnutls/commit/45ec742d6db94b8a5aa2f4f1b3f560d948230e3b) but it is difficult for us update the clients.
Is there a way to disable this extension on the load balancer?
Regards, Jeff