Forum Discussion
MaxMedov
Cirrostratus
CirrostratusSupport TLS1.3 and TLS1.2 protocols
Hello, Today we are working only with TLS1.2 on SSL Clients profiles. We are about to enable TLS1.3, and I have a few questions before a behavior about the SSL handshake process: Case - We are w...
Hi MaxMedov ,
In the Client side ssl >>> Bigip will select the best cipher that presented in the client hello which contains all supported ciphers.
Let say the Client send TLS1.2 ciphers , if the Bigip ip client ssl profile supports TLS1.2 as well TLS1.3 , it will work and the handshake will complete.
it looks like that bigip picks the one cipher from a pool of supported cipher presented by client hello message.
But if Big ip doesn't find a supported cipher accorfing to client ssl profile , it will give handshake_failure alert and the ssl connection will not complete.
Test that in a test virtual server and take a packet captures and look at { Client Hello } samples you will see a list of supported chipher suites and look at the { Server Hello } samples you will see the pivot one or the selected cipher according to your client ssl configurations.
So
if a client came with TLS1.2 and your are allowing on bigip ( TLS1.2 or TLS1.3 ) it should accept it but you must allow TLSV1.2 Ciphers in Client ssl profile which attached to your targeted virtual server.
Also I recommened to take a packet captures first and see which ciphers your clients send in their client hello messages , to make sure you are supporting them.
I will attach a useful Article to troubleshoot in ssl handshakes failure and negotiations :
https://my.f5.com/manage/s/article/K15292