Is there a way to disable the fallback protection for TLS.
it makes SWG almost unusable?
just logs full of
Connection error: ssl_select_suite:5835: TLS_FALLBACK_SCSV with a lower protocol (86)
I do not believe there is an option to disable it on software versions that have it. Question would be, why are your clients trying to change their SSL version to a lower version after agreeing on the protocol?
I am trying to make SWG "go". but having lots of issues with TLS, i have only been packet caping the F5 to end server side but on all sites that are failing there is a protocol reneg requested. On the client side of the F5 we dont even get to SSL neg because the F5 to server fails first ( this is explicit proxy so F5 getting a proxy CONNECT).
If i modify the SSL profile i can find a configuration that will work with any particular site but then it will break other sites so i cant win.
It seems to me like the F5 is behaving like it is the server in the conversation when it is the client, clients are dumb they should just do what they are told....lol :)