Forum Discussion
CirrusF5 Server SSL Profile using TLS 1.0 instead of TLS 1.2
Hi all.
I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.
https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication
So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!
Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.
Cirrocumuluspstavr,
That is what I'm trying to explain.
The TLS1.0 Client Hello BIG-IP is sending is just a convention to signal which version it supports.
If your Windows client only sends TLS1.2/TLS1.2 it means it only supports TLS1.2 and nothing else.
Because BIG-IP supports TLS1.0, TLS1.1 and TLS1.2 it signals to server TLS1.0/TLS1.2.
This is expected behaviour.
And FYI, I took a capture on my Ubuntu box and this is my client hello:
Does it make sense?
CirrocumulusIf you're restricting BIG-IP to ONLY TLS1.2 then that might be a bug as BIG-IP is supposed to send TLS1.2/TLS1.2 in my understanding. However, the fact that BIG-IP signals IIS that it supports TLS1.0 to TLS1.2 is not supposed to trigger connection failure. The fact that BIG-IP also supports TLS1.0 and TLS1.1 is not supposed to break the connection. IIS is supposed to reply with TLS1.2 version and keep going. I'd say this is a broken behaviour from IIS and I believe the easiest thing to solve your issue is just to have a quick look at IIS log when the connection fails. Other than that, you can definitely open a low-priority (Sev4) Support ticket with F5 and ask them to file a low-priority bug for this behaviour.
