For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Merry95_171142's avatar
Merry95_171142
Icon for Nimbostratus rankNimbostratus
Feb 18, 2015

SSL Error when requests come from proxy

Hello, I have a problem with some Virtual Servers on LTM.   I use SSLClient Profiles so the dialog between F5 and server is uncrypted. All the parameters are the default ones.   This configura...
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Feb 19, 2015

Your client is most likely sending an SSLv2 compatible hello that also states that he can talk TLS as well. The proxy is sending SSLv3 hello, which means it can only negotiate up to SSLv3. The default cipher list in 11.5+ disables SSLv3, which is why your proxy is failing to complete the SSL handshake. You will either need to configure the proxy to use TLS or change your cipher list to include SSLv3 like this: 

!LOW:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA
. That would be the same as DEFAULT in 11.6 with the addition of SSLv3. I would suggest changing the proxy as SSLv3 is very vulnerable and no longer considered to be secure. PCI-DSS has also now officially stated it is not compliant to use SSLv3 at all.