Forum Discussion

Nimbostratus

Apr 13, 2023

Irule to Separate TLS 1.0 and TLS 1.2 on the same VIP

I have a vip that only uses TLS 1.0 and 1.1 but I just got a request that lets say out of 200 apps running behind the one vip the dev team want to set 20 Apps, URL'S with in that VIP to use only TLS ...

security

Paulius

MVP

Apr 13, 2023

DJ2 I think the easiest option here is if the clients can use SNI, you would then configure two different SSL certs that have different FQDNs associated to them you can split it that way because you can associate different SSL ciphers to the two individual SSL client profiles. I don't believe you can do this without SNI because the F5 is not able to see the host header until after the SSL handshake process completes which is after the cipher suite is selected. With SNI the FQDN that is being used from the client side is sent in the initial request so you can select the appropriate SSL client profile which will have the associated SSL ciphers and TLS that you would like for that group of names.

Forum Discussion

Irule to Separate TLS 1.0 and TLS 1.2 on the same VIP

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Log separation by event

https and separate port VS

Separating False Positives from Legitimate Violations

Can APM Licenses on Two Separate Boxes Be Combined?

Configuring Pool members in a separate subnet of self IP on a Virtual Server