Forum Discussion
pstavr
Cirrus
CirrusF5 Server SSL Profile using TLS 1.0 instead of TLS 1.2
Hi I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
Hi all.
I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.
https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication
So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!
Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.
nick
Nimbostratus
NimbostratusIs it a .NET application by any chance?
pstavrCirrus
CirrusI believe so yes. I have to check that with the app team, but I think its a .NET application hosted on that IIS.
- nick
I had this issue and had to add a registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
- pstavr
Thank you. I ll let them know. I believe they did modify a GPO object but maybe that was IIS related. I try everything out on Monday and come back with feedback. Thank you all!
NUT2889Cirrostratus
Hi,
You can use this tool help identify the TLS version and Cipher suite that your IIS was enabled.
https://www.bolet.org/TestSSLServer/
Example is over here.