Forum Discussion
NimbostratusSSLv2 Client Hello
We recently upgrades some LTMs from version 11.2 to 11.4 HF4 and we have some older web applications behind them that will only accept an SSLv2 Client Hello from the F5 which is then renegotiated to use TLS 1.0. After we upgraded we noticed several things had changed, one being the F5 by default now tried to use TLS1.2 Client Hellos which caused problems with some other applications that we were able to fix by applying No TLS 1.2 and No TLS 1.1 in the Server SSL Profiles. The problem I cannot resolve is these applications that require an SSLv2 Client Hello, it appears that no matter what settings I apply the minimum the F5 will do is an SSLv3 Client Hello which the server rejects. Any ideas how I might fix this? Is there a way I can force the F5 to use an SSLv2 Client Hello on the Server SSL profile? Thanks.
1 Reply
Hi, it looks like the "COMPAT" SSL stack still has some support for SSLv2. You could set this on the SSL Profile in the 'Ciphers' options: Configuration > Advanced > Ciphers. The default is "DEFAULT".
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
Also, you can look in the Options list for the various protocols to disable: No TLS1_2, No SSLv3, etc.
