SSLv3 to TLS 1.x Proxy

It is possible to have the BIG-IP perform client certificate authentication, with the configuration taking place in the server-ssl profile. SOL11220 that I linked earlier should have the documentation for this process.

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_ssl_profiles.html1298333 may have some details as well.

 

Ok. In that case, a simple method of proxying this connection could be to add the remote TLS-only server as a node behind a virtual service that the SSLv3-only client has access to. The client-ssl profile on this virtual would support SSLv3, and the server-ssl profile would disable SSLv3.

 

There are some caveats with this approach. If you don't have administrative control over the remote server, you will have to create your own SSL certificate and key with whatever the name of the TLS-only server is, and install it in the client-ssl profile. The client will have no direct knowledge of the validity of the certificate on the TLS-only server. If you do have control over the other server and it has a valid SSL certificate, I recommend installing it on your BIG-IP and attach it to the client-ssl profile.

 

If validating the remote server's certificate is important to you, you should read the "Trusted Certificate Authorities" section of SOL11220

 

To clarify, you have a SSL "client" that only speaks SSLv3 and must be able to speak to a TLS-only service? Or do you have a typical client and a server that can only speak SSLv3? Your ascii diagram makes this slightly unclear.

 

If you mean the typical scenario, this certainly is possible. You would configure the virtual server for SSL Bridging mode, with both a client-ssl profile and server-ssl profile. Configure the client-ssl profile to disable SSLv3 and whatever other modifications you need. The server-ssl profile usually can be left at default values and it should work with most servers.