Forum Discussion

Nimbostratus

Oct 31, 2015

SSL Ciphers

Hi, I'm working on a task to disable SSLv2 connection. I'm going to use NATIVE SSL stack and COMPAT SSL stack and the following command in client profile. native:compat:!sslv2 If I'm using ...

nathe

Cirrocumulus

Oct 31, 2015

Thiyagu,

"If I'm using both NATIVE and COMPAT SSL stack which SSL stack does the client chose to communicate?"

It should negotiate the most secure cipher from either list, which will probably be from the NATIVE stack. To be certain you can add @STRENGTH to your cipher string.

"If a client is currently using SSLv2 and we deny the request on LB, Does the client re-initiate the session with SSLv3 or TLS?"

The existing session would continue as normal but any new TCP connections over SSL would negotiate with SSLv3 and upwards.

"Does the security certificate which we are installing on LB have any algorithm related to SSLv2 or SSLv3 or TLS?"

It doesn't include protocol supportability no.

Moving forward f5 are moving away from COMPAT ciphers as they are less secure and slower (can't be optimised in hardware) and SSLv3 now. I'd recommend you look further ahead than just SSLv2.

Hope this helps,

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)