For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ADALL_190792's avatar
ADALL_190792
Icon for Nimbostratus rankNimbostratus
Mar 05, 2015

SSLv3 to TLS 1.x Proxy

Hoping to find out if this is possible. We have a server that is only SSLv3 compatible and due to compliance reasons we must use TLS 1.x. Is it possible to use the F5 as a proxy in the situation to...
application delivery
LTM
proxy
sslv3
tls
JoshBecigneul's avatar
JoshBecigneul
Icon for MVP rankMVP
Mar 06, 2015

Ok. In that case, a simple method of proxying this connection could be to add the remote TLS-only server as a node behind a virtual service that the SSLv3-only client has access to. The client-ssl profile on this virtual would support SSLv3, and the server-ssl profile would disable SSLv3.

 

There are some caveats with this approach. If you don't have administrative control over the remote server, you will have to create your own SSL certificate and key with whatever the name of the TLS-only server is, and install it in the client-ssl profile. The client will have no direct knowledge of the validity of the certificate on the TLS-only server. If you do have control over the other server and it has a valid SSL certificate, I recommend installing it on your BIG-IP and attach it to the client-ssl profile.

 

If validating the remote server's certificate is important to you, you should read the "Trusted Certificate Authorities" section of SOL11220