Forum Discussion
NimbostratusUse different SSL cipher client and server side
Hi,
Context: I have a back-end that doesn't support TLS V1.2 (BIGIP Version: 11.4 HF7)
Objective: I would that the trafic between the client and the BIG-IP be encrypted using TLS 1.2 and between the BIGIP and the back-end using TLS 1.1 :
client --(TLS1.2)--> BIGIP --(TLS1.1)--> BACK-END
I tried to configure a client ssl profile with this cipher: !SSLV3:NATIVE:!DHE:!ECDHE:!EXPORT:!RC4:!DES:@STRENGTH
and the server ssl profile with this cipher : !TLSV1_2:!SSLV3:NATIVE:!DHE:!ECDHE:!EXPORT:!RC4:!DES:@STRENGTH
But the SSL handshake failed due to cipher overlap with this configuration.
I have to disable TLS1.2 in the ssl client profile cipher list to obtain a successfull SSL handshake.
Have you any idea to implement different ssl protocol client and server side?
Regards, Emmanuel.
1 Reply
mimlo_61970Cumulonimbus
you don't need to disable tls1.2 on the server side. If it doesn't support it, it won't negotiate it. I just tested with a server, I disabled tls1.2 on my apache server and then connected tls1.2 to the virtual server, and tls1.1 to the backend, using a profile that supported 1.2 on both sides. The 2 connections (client side and server side) are completely independent.
