Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

Rodrigo_Albuque's avatar
Rodrigo_Albuque
Icon for MVP rankMVP

Which version of BIG-IP are you using?

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

We extracted a list of the ciphers supported from IIS. Quite a few were common with F5 so they were included in the Client Hello. Thats why I am saying I agree with you that it should accept one of them and proceed further by sending a Server Hello.

I was thinking of creating a list of ciphers based on the extracted ones from IIS and create a custom cipher list to be 100% match for the one on IIS. But even if that would work, it still does not explain why a RST ACK is sent now when there are so many common ciphers between the two...