Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 27, 2020

Hi!

 

All tests failed today. But I have some extra clues.

 

  1. The app running on the background is a .NET application
  2. The registry tweaks for the .NET app basically failed. Same issue.
  3. We also turned off the app its self, and tried to use IIS default pages, just to see if the communication between F5 and the backend server would be OK. And it is, it works perfectly fine. So its the ,NET app that breaks it.

The weird part is that without modifying anything on F5, it works with simple IIS on the backend, but it does not with the .NET app enabled. The only difference I can see in WireShark is that the successful Client Hello done from the F5 wowards the backend server, is done using TLS 1.2. Where one that fails uses TLSv1 instead for the Client Hello. Both mark 1.0 as the minimum and 1.2 as the maximum accewpted TLS though.

Have a look at the successful attempts against IIS, and compare them to the unsuccesful against the .NET app. Only difference is that the version used for the Client Hello part. Once again, thank you all for your ideas and feedback.

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Jan 30, 2020

    Lets not stick to the record layer that it could be the issue, we should check on the other angles too (ciphers, sha, protocols).... Can you share your pcaps of failed and working one. Expand the client hello packet. Also what is there in the handshake protocol version is what would be shown in the pcap protocol info.

    Also share the test results of below,

    #To test tls1.1
openssl s_client -connect IP:PORT -tls1_1
 
#To test tls1.2
openssl s_client -connect IP:PORT -tls1_2
 
#To test SHA1
openssl s_client -cipher 'SHA' -connect IP:PORT -tls1_2
 
#To test SHA2
openssl s_client -cipher 'SHA256' -connect IP:PORT -tls1_2