Forum Discussion

pstavr's avatar
pstavr
Icon for Cirrus rankCirrus
Jan 24, 2020

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2

Hi

 

I have an F5 virtual server that does SSL inspection so it has a client ssl profile and a server ssl profile. The backend server is running on a Windows Server 2019 / IIS and it only accepts TLS 1.1 and 1.2 clients. Since the F5 acts as a client in this case towards the Windows Server 2019, I have created a server ssl profile which forces the F5 to use TLS 1.2 only (SSL Proxy is disabled). My problem is that during the Client Hello from the F5 towards the Windows Server, TLS 1.0 is used. So the backend server immediatelly sends a RST ACK without sending Server Hello for supported ciphers etc.

While doing a capture on Wireshark, I saw that TLS 1.0 is used. And further down in the same TCP packet it mentions TLS 1.2.

This is driving me crazy. Is there any way we can enforce F5 to use 1.2 only during Client Hello?

 

  • Hi all.

     

    I found the root cause. The problem was related to the .NET app using SNI. By default the F5 doesn't do that.

    https://devcentral.f5.com/s/articles/ssl-profiles-part-7-server-name-indication

     

    So basically I just followed the fix in the above article, I defined a server name and the backend service started sending Server Hello etc. Everything works fine now!

     

    Thank you all for your responses, as quite a few of them were helpful on identifying that the issue is with the app, and I could also spot a few things that were not proper on the negotiation part.

     

  • Hi pstavr,

     

    Is this issue resolved? i have the same problem with this.

    What solution do you use to improve from the F5 side?

     

    Thanks

    • pstavr's avatar
      pstavr
      Icon for Cirrus rankCirrus

      Hi Bonow.

       

      Yes, it was happening because the backend servers required SNI support. I have posted an article above from F5 where you can see the solution.