Forum Discussion
serverssl and serverssl-insecure-compatible
Hi richardgamboacordova,
serverssl {
	ciphers DEFAULT
	secure-renegotiation require-strict
}
 
serverssl-insecure-compatible {
	ciphers !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED
	secure-renegotiation request
}Secure Renegotiation:
Specifies the method of secure renegotiation for SSL connections. The default is Require Strict. If your configuration requires insecure SSL renegotiation, set this to Request.
- Request: Specifies the system requests secure renegotiation of SSL connections.
- Require: Specifies the system requires secure renegotiation of SSL connections. In this mode, the system permits initial SSL handshakes from clients, but terminates renegotiations from unpatched clients. For server SSL renegotiation, this mode works the same as Require Strict.
- Require Strict: Specifies the system requires strict secure renegotiation of SSL connections. In this mode, the system refuses new SSL connections to insecure servers and terminates existing SSL connections to insecure servers.
Hi eaa,
Thank you for your response. I have two questions, please.
- What unpatched clients means? And this field (secure-renegotiation) works for ssl client profiles too?.
- If the back-ends servers have an insecure certificate created by itself (iis servers), do F5 needs the back-end servers certificate on server ssl profile or just need the server so-insecure-compatible profile?
- thank you!
- boneyardOct 13, 2019MVP unpatched means server that don't support secure renegotiation yet. and yes a similar option is available in the client side SSL profile. with most default server SSL profile the certificate is not checked at all, so that will work by default. the secure renegotiation is not related to the certificate, it is related to renegotiation a session later on. 
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com