Forum Discussion
Jeff_Williams_4
Jun 27, 2014Nimbostratus
Hi afedden,
Thanks for the recommendation, however, I have been unable to test since I only have access to a partition and changes with roles on 11.5 mean that I am not longer able to edit SSL Client Profiles. And our main client running into issues has now been patched to ignore the erroneous extension.
Jeff
- afedden_1985Jun 30, 2014CirrusJust an FYI we implemented 11.5 and didn't run into any issue and I didn't disable the ECDHE ciphers. Also F5 tried a repro based on your description and was unable to repro the issue. The issue that did get me was 11.5 removed support for SSLv3 and that caused some issues for some clients until we enabled it.
- Jeff_Williams_4Jun 30, 2014NimbostratusOut of interest, if you run the command: openssl s_client -tls1 -tlsextdebug -state -debug -connect :443 With a version of openssl > 1.0.0, do you get the 'TLS server extension "elliptic curves"' line? We only found it caused issues with certain versions of GNU TLS, so you may not see an issue. That said, it looks like the GNU TLS behaviour was correct. We too had the issue with SSLv3 disappearing, so we added in ciphers as per http://support.f5.com/kb/en-us/solutions/public/15000/000/sol15022.html, then we hit this issue with the elliptic curves!