For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cofotony's avatar
cofotony
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

SSLv2 Compatible Client Hello - v10.2.4 - is it possible not to send this format in a monitor??

https://devcentral.f5.com/questions/1024-lotus-domino-web-server-sslv2-compatible-client-hello   My query is essentially the same as the above, query 2). We've an LTM trying to monitor a pool of J...
application delivery
LTM
cofotony's avatar
cofotony
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

In case anyone has the same issue, I found an answer eventually. There is a SSLv2Hello protocol that is disabled by default on newer software revisions. In my case it was Java 1.7 (whereas Java 1.6 it's enabled by default).So the LTM sends a sslv2 compatible hello, which in my case is a tls1.0 hello encapsulated in a sslv2 packet (or something along those lines) and unless the sslv2hello protocol is allowed this will be rejected. Even when we allowed sslv2 completely the hello was being rejected.

 

There are some details in the link below, but in case you don't have a login:

 

https://access.redhat.com/solutions/1254343

 

For example, on EAP 6: Raw or on EAP 7: Raw