TLS SSL Profile question.

Thanks for your support so far.

Since reading your recommendation I’ve edited my ssl profile cipher to the following : DEFAULT:!SSLV3:!TLSV1:!TLSV1_1

I’m still getting an error in the log that says “The request was aborted: Could not create SSL/TLS secure channel”

Maybe I’m barking up the wrong tree all together. The basic reason for my changes:

“Paypal is in the process of upgrading the SSL certificates used to secure their websites and API endpoints. These new certificates will be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Cert. They said we will need to ensure that our environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Cert. “ (paypal)

1)I checked to make sure that we have the VeriSign G5 Root cert on the F5 and I do see it under “ssl certificate list” (not sure if that’s where it should go?) 2)I think our environment supports the SHA-256 signing algorithm but I’m not exactly sure where to check that. The reason I think it does is because the SSL profile that is currently assigned to the Virtual Server for which our website is tied to, is using an SSL cert from GoDaddy that is using sha256. 3)The reason I set the ssl profile cipher to: DEFAULT:!SSLV3:!TLSV1:!TLSV1_1 is because paypal’s upgrade guide is saying that in order to test using the paypal sandbox endpoints we had to support TLS 1.2.

Our SSL offloading is happening on the F5 ( Clients to F5 is secure and from the F5 to the webservers is just plain http) which I read is a pretty normal implantation. Right now everything is working with paypal as the F5 is configured but my tests are showing that it won’t work after the deadline of the 30th when they switch to new endpoints. They give us test endpoints (sandbox endpoints) to use and they don’t work.

Any suggestions would be most helpful.