For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020
Solved

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

Hi Rodrigo

 

Thank you for your reply. We are already trying a few tweaks on the Windows Server 2019 / IIS environment for fixing this. I understand your comment and it makes sense. What I do not understand however is why would F5 use TLS 1.0 initially to contact the backend server during the Client Hello. I am using a server SSL profile which limits the ciphers to TLS 1.2 only. I should also mention that Windows 10 clients accessing the backend server directly work perfectly fine. While doing a Wireshark capture on the Windows Clients, the Client Hello is entirely on TLS 1.2 (both lowest and highest version). Hence my questioning on why F5 would send a TLS 1.0 Client Hello. The packet is marked as TLS1 on Wireshark.