SSL fallback help

Question

Hi, we have a SSL VIP that currently only supports TLS1.2 (via ciphers) anything else will fail which is great. We are launching a new public website soon that we would like older clients to be able to fall back eg. tls 1.1 or 1.0 if they dont have current browsers. Is it possible to do this and in a way we dont leave ourselves vulnerable? Thanks.

henrik_gyllkran · Answer

Since the TLS handshake happens before the request and we can tell what type of browser this is, we can't really say what type of browsers are allowed to use which ciphers. I suppose you could set up an iRule to examine the request and force a renegotiation with a different profile but that will be a bit unwieldy I think. I think sooner or later you just have to make a decision to not support older and insecure browsers.

Forum Discussion

SSL fallback help

Recent Discussions

SNI Sites not taking correct certificate.

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Can i apply ddos profile on virtual server using port range

ASM Export JSON - size Limit ?

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

Related Content

HTTPS passthrough fallback URL

SSL Profiles Part 6: SSL Renegotiation

Transparent Kerberos Authentication and APM fallback authentication

Updating SSL Certificates on BIG-IP using REST API

APM Kerberos Auth or fallback to another authentication method

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS