TLS question

Question

I have a virtual server with only TLS1.2 enabled. The client supports TLS1.2 as well. But when it starts SSL HANDSHAKE it starts with TLS1.0, LTM seeing TLS1.0 sends ACK and then FIN the connection.&nbsp;
I we force client to send TLS1.2, everyone is happy.&nbsp;
Can we configure LTM to send a message back to the client in ServerHello stating that I support TLS1.2, If you support TLS1.2 please negotiate with TLS1.2.&nbsp;
I tried with SSL renegotiation but failed. Using 11.3.0.&nbsp;

mimlo_61970 · Answer

This should work automatically.  The client should send all of the versions it supports in it's hello, and the server should reply with the highest version that it supports that the client supports.&nbsp;
I would do a packet capture and see if the client is stating in it's client hello that it supports tls1.2&nbsp;

devbabu · Answer

Where in client hello should i see that&nbsp;
&nbsp;

mimlo_61970 · Answer

Under Handshake Protocol(the first subsection under the SSL Record Layer), the version is TLS 1.0. The client is stating they want TLS1.0, and as long as you support that, that is what will get used.

Forum Discussion

TLS question

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Share what you learned on DevCentral in 2025

Failing over Virtual F5 VE to DR location using Zerto

Related Content

Load Balancing TCP TLS Encrypted Syslog Messages

Decrypting TLS traffic on BIG-IP

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

TLS Fingerprinting - a method for identifying a TLS client without decrypting

TLS Stateful vs Stateless Session Resumption

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS