SSL Profiles Part 1: Handshakes

This is the first in a series of tech tips on the F5 BIG-IP LTM SSL profiles.  SSL Overview and Handshake SSL Certificates Certificate Chain Implementation Cipher Suites SSL Options SSL...
Updated Mar 24, 2023
Version 2.0
LTM
security
series-the-ssl-profile
ssl
tech tip
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Nick_128577's avatar
Nick_128577
Icon for Nimbostratus rankNimbostratus
Nov 18, 2014
Nice but.... We have both client and server profiles enabled as we are inspecting the traffic as it comes through the F5. Our understanding is that the F5 terminates the secure connection from the outside world and makes a new secure connection internally to the downstream system in this model and that works fine until a very recent patch for WinShock. What we are seeing is that if we allow TLS1.2 externally but remove the capability internally then we are seeing issues with the site from an external prospective. Why is this occurring as surely the F5 should be handling this and not assuming that the downstream system needs to negotiate in the same way?