Forum Discussion
NimbostratusI have a URL running on 11.4.1 F5 wth client ssl profile. Want to know if its TLS 1.2 complaint for users machine coming from any protocol versions.
Can somebody let me know how to decide whether the users coming from different protocol versions and hitting F5 are tls1.2 complaint.
My f5 is running on v 11.4.1 and as I know that in version 11.4.1 of LTM, the order changed to the most secure protocol tls1.2. Now the LTM tries to establish a connection with tls1.2 before it tries the other.
So that means back end servers should also have tls1.2 so that ssl handshake is successful between f5 and servers.
But how do we assure that SSL handshake between user and F5 is also successful since we cannot control from which all protocol versions users will be coming.
The VIP i am talking about has a client ssl profile:
Ltm::ClientSSL Profile: test.ironmountain.com
Virtual Server Name N/A
Bytes Inbound Outbound Encrypted 71.3G 374.1G Decrypted 43.3G 108.7G
Connections Open Maximum Total Native 2 73 77.3M Compatibility 0 0 0 Total 2 77 77.3M
Certificates/Handshakes Valid Certificates 0 Invalid Certificates 0 No Certificates 77.3M Mid-Connection Handshakes 0 Secure Handshakes 77.3M Insecure Handshakes Accepted 174 Insecure Handshakes Rejected 0 Insecure Renegotiations Rejected 0 Mismatched Server Name Rejected 0
Protocol SSL Protocol Version 2 0 SSL Protocol Version 3 0 TLS Protocol Version 1.0 77.3M TLS Protocol Version 1.1 50 TLS Protocol Version 1.2 19.6K DTLS Protocol Version 1 0
I am not understanding the various tls version numbers showing above and what they mean.
1 Reply
Hannes_RappYou cannot do anything to ensure the SSL handshake with client is going to be successful. You can just make it very likely, if you enable all SSL/TLS versions and cipher suites on BigIP. That of course is a bad idea, and you don't want to throw all security out the window.
