Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

Rodrigo_Albuque's avatar
Rodrigo_Albuque
Icon for MVP rankMVP
Jan 24, 2020

Hi pstavr,

 

BIG-IP is NOT using TLS 1.0.

 

Although not specified in RFC, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
  Content Type: Handshake (22)
  Version: $LOWEST_VERSION <----
  Handshake Record:
    Handshake Type: Client Hello (1)
    Version: $HIGHEST_VERSION <----

The BIG-IP system implementation tells the TLS peer that the system supports only TLS versions from the $LOWEST_VERSION through the $HIGHEST_VERSION.

 

Back end server is then supposed to reply with the selected version correctly and move on.

 

If your server is failing because of this, then there's an issue with your server but definitely NOT BIG-IP.

 

Please, Is there a Fatal Alert sent by the server with the error code? You should look into that.