Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi   I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts...
application delivery
BIG-IP
Client Hello
LTM
RST ACK
server ssl profile
tls
  • pstavr's avatar
    pstavr
    Jan 31, 2020

    Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 31, 2020

Hi all.

 

I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

 

So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

 

Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

 

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Jan 31, 2020

    Interesting, Glad your issue is resolved. One thing I learnt over the years is to look around for all possibilities. Never stick to a point and think it could be the problem.​ Mark your own answer as solution provided and close the thread.

  • NUT2889's avatar
    NUT2889
    Icon for Cirrostratus rankCirrostratus
    Feb 03, 2020

    Hi,

     

    I have few experience and share with you.

     

    Some of administrator has enabled SNI on web server e.g. IIS, Nginx, Apache. But him didn't tell me to know.

     

    When we configure F5 to monitor via HTTP or HTTPs. The result is pool offline. Sometimes we need to re-check administrator for this setting to reduce ping-pong situation.

     

     

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP
      Feb 03, 2020

      Actually, it's quite common, in the monitor the Host header section matters a lot.

      Troubleshooting health check is one thing, and troubleshooting application traffic flow is another thing.​

    • NUT2889's avatar
      NUT2889
      Icon for Cirrostratus rankCirrostratus
      Feb 04, 2020

      Hi,

       

      Thank you for your feedback.

       

      From my perspective "Host header" and "SNI" is different level.

      • Host header is in web application server level.
      • SNI is in SSL/TLS protocol level.