Forum Discussion
F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2
- Jan 31, 2020
Hi all.
I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.
https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication
So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!
Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.
pstavr,
That is what I'm trying to explain.
The TLS1.0 Client Hello BIG-IP is sending is just a convention to signal which version it supports.
If your Windows client only sends TLS1.2/TLS1.2 it means it only supports TLS1.2 and nothing else.
Because BIG-IP supports TLS1.0, TLS1.1 and TLS1.2 it signals to server TLS1.0/TLS1.2.
This is expected behaviour.
And FYI, I took a capture on my Ubuntu box and this is my client hello:
Does it make sense?
Sort of does. I guess I would say it makes sense if you use DEFAULT on the ciphers. But if you restrict it to TLS 1.2, why would the F5 send TLS 1.0 as the lowest? I do 100% agree though that there is something wrong with the backend server so we need to tweak it to be more "open", at least during the negotiation process.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com