Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Dec 04, 2015

server-side ssl not negotiating

I have a standard Virtual Server (443) that terminates ssl on the client side, and re-encrypts on the server side. Just as I have done many times.   LTM logs (ssl debug) yields:   01260013 SS...
application delivery
LTM
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Dec 08, 2015

I made the server-side SSL profile cipher string = 'TLSv1' only and that made it work.

 

This is because Windows 2008 no R2 doesn't understand TLSv1.2 handshake initiation and it never allows it to negotiate down to TLSv1.

 

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Dec 08, 2015
    But when examining the ssldump of a browser going directly to the server, the browser first offers 1.2, and they negotiate down to 1.0.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Dec 08, 2015
    A browser will retry the whole connection and has a different SSL stack than BigIP so the client behavior can be different.
  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Dec 08, 2015
    OK. I think the Windows 2008 server is kind of lame, but just the same, I'm pretty stinkin happy the goofy thing is working.