SSLv3 to TLS 1.x Proxy

Question

Hoping to find out if this is possible.  We have a server that is only SSLv3 compatible and due to compliance reasons we must use TLS 1.x.  Is it possible to use the F5 as a proxy in the situation to terminate the connection from the client and BIG-IP to connect with TLS 1.x?  What's the best path?  BIG-IP is 10.0.1.  Thanks&nbsp;
internal server SSLv3---&gt; BIG-IP as proxy ---TLS 1.x---&gt; Firewall ----&gt; external service&nbsp;

joshbecigneul · Answer

To clarify, you have a SSL "client" that only speaks SSLv3 and must be able to speak to a TLS-only service? Or do you have a typical client and a server that can only speak SSLv3? Your ascii diagram makes this slightly unclear.&nbsp;
If you mean the typical scenario, this certainly is possible. You would configure the virtual server for SSL Bridging mode, with both a client-ssl profile and server-ssl profile. Configure the client-ssl profile to disable SSLv3 and whatever other modifications you need. The server-ssl profile usually can be left at default values and it should work with most servers.&nbsp;

joshbecigneul · Answer

Ok. In that case, a simple method of proxying this connection could be to add the remote TLS-only server as a node behind a virtual service that the SSLv3-only client has access to. The client-ssl profile on this virtual would support SSLv3, and the server-ssl profile would disable SSLv3. &nbsp;
There are some caveats with this approach. If you don't have administrative control over the remote server, you will have to create your own SSL certificate and key with whatever the name of the TLS-only server is, and install it in the client-ssl profile. The client will have no direct knowledge of the validity of the certificate on the TLS-only server. If you do have control over the other server and it has a valid SSL certificate, I recommend installing it on your BIG-IP and attach it to the client-ssl profile.&nbsp;
If validating the remote server's certificate is important to you, you should read the "Trusted Certificate Authorities" section of SOL11220&nbsp;

joshbecigneul · Answer

It is possible to have the BIG-IP perform client certificate authentication, with the configuration taking place in the server-ssl profile. SOL11220 that I linked earlier should have the documentation for this process. &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_ssl_profiles.html1298333 may have some details as well.&nbsp;

Forum Discussion

SSLv3 to TLS 1.x Proxy

3 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Priority Group Activation is not working

Changes to DO and AS3 GitHub - no longer monitored

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

Related Content

Explore TCP and TLS Profiles for Optimal S3 with MinIO Clusters

Load Balancing TCP TLS Encrypted Syslog Messages

Decrypting TLS traffic on BIG-IP

Secure and Harden Forward Proxies in NGINX Plus

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS