TLS record layer version

Question

Dears,&nbsp;As mentioned in the article https://support.f5.com/csp/article/K53037818 .. TLS servers compliant with the TLS1.2 specification must accept any value as the record layer version number for ClientHello.&nbsp;It also mentioned that "When you encounter issues with SSL handshakes failing due to the record layer version in the ClientHello message, you should first review the configuration on the TLS server."&nbsp;As of now, we would like to know where can we see the configuration of TLS record layer version in F5 Client SSL Profile. &nbsp;Thanks in Advance.Mohammed Shiraz

sanjayp · Answer

TLS record layer version is not present in client SSL profile. Please check the last part of the doc, where it mentions beginning v 12.1.0, TLS record layer version is used TLS1.0 unless db value is disabled.

Beginning in BIG-IP 11.5.4 HF2 for the BIG-IP 11.5.x branch and BIG-IP 12.1.0 HF1 and later, the ssl.outerrecordtls1_0 database variable is introduced. Prior to this database variable, the version present in the ClientHello and the version present in the outer record match. With the introduction of this database variable, which is enabled by default, the version present in the outer record is TLS 1.0, regardless of the version in the ClientHello. To verify the value of ssl.outerrecordtls1_0, perform the following procedure:

shiraz · Answer

Thanks for the information Sanjay...&nbsp;Does this means F5 will accept any version of TLS record layer coming from the client.&nbsp;Actually, we need a confirmation that our device will accept any version of TLS record layer coming from the client. And how do we confirm this?&nbsp;Regards

sanjayp · Answer

Please note, ssl.outerrecordtls1_0 this variable is for serverside TLS session. i.e. from F5 to the server where F5 initiates CLIENT HELLO towards the server. &nbsp;For client side TLS session, as mentioned earlier there is no TLS record layer version option. BIGIP accepts all TLS record layer version, the one which matters is CLIENT HELLO version coming from the client. If that's not matching what is allowed on client ssl profile, BIGIP would reset the connection. &nbsp;Are you having any issue in particular with this? &nbsp;&nbsp;

shiraz · Answer

Thanks for your response. Can we have any reference article stating that BIG-IP accepts all TLS record layer versions? Need to provide it to one of the client....&nbsp;Thanks again for your support...

sanjayp · Answer

Sorry don't have it. I'm telling it from my experience of working with BIGIP quite few years now :) ​If you are looking for an official doc, you can log a general information support case with F5 and they can provide the link. ​

Forum Discussion

TLS record layer version

5 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

Persistence records point to 127.0.0.1:10001

Enabling DNSSEC for 1 record only

TMOS Version Update Paths

Managing ZoneRunner Resource Records with Bigsuds

Big IP version 12 API