Forum Discussion

Thiago_Morais's avatar
Thiago_Morais
Icon for Altostratus rankAltostratus
Dec 28, 2020

Redirect TLS1.0 to TLS1.2

I need to configure a VS to accept client requests using TLS1.0 and forward them to a pool using TLS1.2.

How is the best way to configure this scenario?

 

Thanks!

TM

3 Replies

  • Hi Thiago,

     

    I understand you have a VS which should accept only TLS 1.0 traffic and a pool with pool members that are only accepting TLS1.2 traffic, so you are doing what is called SSL bridging. In that scenario you would need to attach a ClientSSL and a ServerSSL profile to the VS.

    In ClientSSL and ServerSSL profiles you can configure Cipher Suites, which practically define which TLS ciphers are available in the profile for negotiating a secure communication channel.

    You can use the DEFAULT cipher suite in ClientSSL and ServerSSL profile, it will support TLS1 on the client-side and also TLS1.2 on the server-side.

    If you plan to tweak the cipher suites further, or just want to have a better understanding of the whole subject, take a look at K15194: Overview of BIG-IP SSL/TLS cipher suites.

     

    KR

  • The title is misleading, it shouldn't be redirect, but something like, Client traffic 1.0 and server sider traffic on tls1.2.

     

    Also, remember there's no point of forcing tls1.0 on clientside when the client can/may communicate on tls1.2.

    tls1.0 has vulnerabilities, so unless there's a real reason, you shouldn't be using it. If the clients are upstreams to your VS, then you should take effort in remediating the upstreams to communicate in tls1.2, not the otherway around. This puts risk in the environment.

     

    The default clientssl & serverssl support all tls versions, so I'd say you build your custom clientssl profile and simply put defaults-from to clientssl, so even if tls1.0 clients come, they'll be allowed and if of higher version come, they'd still be sent. This requires you to understand your requirement and build the setup.

     

    On the serverside, the detault serverssl would suffice. It will communicate on tls1.2.

  • There is a legacy application that can't support the most recent TLS version and nobody want to upgrade it because there is no support from the vendor.

     

    I will schedule a maintenance window to create the new VS with two different SSL profiles. In the SSL Client profile, I will use the DEFAULT ciphers but in the SSL Server profile, I will use the specific ciphers that support TLS1.2.

     

    Thank you for your opinions, I let you know when I apply the configuration and make some tests.

     

    Regards,

    TM