Forum Discussion
F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2
- Jan 31, 2020
Hi all.
I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.
https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication
So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!
Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.
Hi!
All tests failed today. But I have some extra clues.
- The app running on the background is a .NET application
- The registry tweaks for the .NET app basically failed. Same issue.
- We also turned off the app its self, and tried to use IIS default pages, just to see if the communication between F5 and the backend server would be OK. And it is, it works perfectly fine. So its the ,NET app that breaks it.
The weird part is that without modifying anything on F5, it works with simple IIS on the backend, but it does not with the .NET app enabled. The only difference I can see in WireShark is that the successful Client Hello done from the F5 wowards the backend server, is done using TLS 1.2. Where one that fails uses TLSv1 instead for the Client Hello. Both mark 1.0 as the minimum and 1.2 as the maximum accewpted TLS though.
Have a look at the successful attempts against IIS, and compare them to the unsuccesful against the .NET app. Only difference is that the version used for the Client Hello part. Once again, thank you all for your ideas and feedback.
Lets not stick to the record layer that it could be the issue, we should check on the other angles too (ciphers, sha, protocols).... Can you share your pcaps of failed and working one. Expand the client hello packet. Also what is there in the handshake protocol version is what would be shown in the pcap protocol info.
Also share the test results of below,
#To test tls1.1
openssl s_client -connect IP:PORT -tls1_1
#To test tls1.2
openssl s_client -connect IP:PORT -tls1_2
#To test SHA1
openssl s_client -cipher 'SHA' -connect IP:PORT -tls1_2
#To test SHA2
openssl s_client -cipher 'SHA256' -connect IP:PORT -tls1_2
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com