Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

NUT2889's avatar
NUT2889
Icon for Cirrostratus rankCirrostratus

Hi,

 

For the "Options" property. You can move "No TLSv1" from avaialbe list to enabled options. Then try again.

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

Thank you for your reply. I have already done that. Same result. Initially I created the server ssl profile using "tmsh create /ltm profile server-ssl testv12 ciphers TLSv1_2"

I was getting the RST ACK due to TLSV1.

My next move was to create an SSL profile through the GUI and use the "Options" property to remove SSLv3, TLV1, TLSv1.1. That did not work either. Again, RST ACK since the Client Hello was TLS 1.0.