For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_G__134358's avatar
Tom_G__134358
Icon for Nimbostratus rankNimbostratus
Feb 11, 2014

SERVER SSL profile ciphers work fine, but not HTTPS monitor

Hi,   I'm currently implementing an LTM config with a virtual server pointing to a real server which only supports TLS 1.0 and old ciphers.   I managed to get it working using the following con...
https
security
ssl
Tom_G__134358's avatar
Tom_G__134358
Icon for Nimbostratus rankNimbostratus
Feb 14, 2014

I tried with the string you suggested and it did not work.

I then did some trial and error and isolated the string which caused the failure.

Whenever I use !TLSv1.1, !TLSv1.2, !TLSv1_1 or !TLSv1_2, it fails.

It worked with the following string : 

!SSLv2:!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@STRENGTH

The same string with 

@SPEED
did not work.

I was surprised that the client hello was sent with protocol version 3.1 (TLS 1.0) whereas the actual connection to the server uses protocol version 3.3 (TLS 1.2) by default (if I don't specify !TLSv1_2 in the cipher string).

Obviously, the monitor does not use the same SSL implementation as the SSL server profiles ...

Thanks for your help Kevin !

Tom

PS: this is the behaviour on 11.4.1 HF2, I'll try 11.5.0 soon, I might get different results.