Forum Discussion
Regarding cipher negotiation for LTM
Hi,
Needed suggestion regarding cipher negotiation between LTM and server. As per my understanding when client sends hello it sends all cipher value supported. So in case of serverssl profile I am seeing when LTM sends hello to nodes it only sends TLSv1.2 and since our node supports TLSv1 it is dropping the connection. So ideally if client and server are not able to agree to cipher value LTM should switch to TLSv1.1, then TLSv1 and sslv3, since these ciphers are currently enabled on LTM. But why after LTM sends TLSv1.2 and seeing reset from server not fallback to low supported ciphers. Do we need to make any other changes on LTM side?
Also if I configure cipher value something like :TLSv1:TLSv1.1:TLSv1.2 will TLSv1 will take preference over v1.1 and v1.2?
Thanks.
- Amit585731NimbostratusDear Experts, Any suggestion please?
- Hannes_RappNimbostratus
A Reset (TCP) from end-server is not a correct SSL/TLS downgrade response. Probably you're using Window Server 2008?
You can mitigate by enforcing the use of TLSv1.0 on your BigIP serverssl profile. Do not modify the default serverssl profile, but create a new one with your custom settings. When done, apply that custom tlsv1.0-only serverssl profile to your Virtual Server.
Creating a custom TLSv1.0-only serverssl profile (Local Traffic - Profiles - SSL - Server)
1) Create a new serverssl profile
2) Name it as you like, i.e.
3) Parent Profile -profile_serverssl_TLSv1-0
4) Expand the configuration section -serverssl
5) In Cipher configuration, replaceadvanced
keyword withDEFAULT
6) Keep the rest as default, unless you have other requirementsTLSv1
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com