Forum Discussion
richardgamboac1
Nimbostratus
Nimbostratusserverssl and serverssl-insecure-compatible
I just want go deep about these two ssl servers profile, what are the difference?, when to use each one?.
Hi richardgamboacordova,
serverssl { ciphers DEFAULT secure-renegotiation require-strict } serverssl-insecure-compatible { ciphers !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED secure-renegotiation request }Secure Renegotiation:
Specifies the method of secure renegotiation for SSL connections. The default is Require Strict. If your configuration requires insecure SSL renegotiation, set this to Request.
- Request: Specifies the system requests secure renegotiation of SSL connections.
- Require: Specifies the system requires secure renegotiation of SSL connections. In this mode, the system permits initial SSL handshakes from clients, but terminates renegotiations from unpatched clients. For server SSL renegotiation, this mode works the same as Require Strict.
- Require Strict: Specifies the system requires strict secure renegotiation of SSL connections. In this mode, the system refuses new SSL connections to insecure servers and terminates existing SSL connections to insecure servers.
richardgamboac1Hi eaa,
Thank you for your response. I have two questions, please.
- What unpatched clients means? And this field (secure-renegotiation) works for ssl client profiles too?.
- If the back-ends servers have an insecure certificate created by itself (iis servers), do F5 needs the back-end servers certificate on server ssl profile or just need the server so-insecure-compatible profile?
- thank you!
boneyardMVP
unpatched means server that don't support secure renegotiation yet. and yes a similar option is available in the client side SSL profile.
with most default server SSL profile the certificate is not checked at all, so that will work by default. the secure renegotiation is not related to the certificate, it is related to renegotiation a session later on.
