Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How to disable TLS_FALLBACK_SCSV extension?

Is there a way to disable the fallback protection for TLS.

it makes SWG almost unusable? just logs full of Connection error: ssl_select_suite:5835: TLS_FALLBACK_SCSV with a lower protocol (86)

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I do not believe there is an option to disable it on software versions that have it. Question would be, why are your clients trying to change their SSL version to a lower version after agreeing on the protocol?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I am trying to make SWG "go". but having lots of issues with TLS, i have only been packet caping the F5 to end server side but on all sites that are failing there is a protocol reneg requested. On the client side of the F5 we dont even get to SSL neg because the F5 to server fails first ( this is explicit proxy so F5 getting a proxy CONNECT).

If i modify the SSL profile i can find a configuration that will work with any particular site but then it will break other sites so i cant win.

It seems to me like the F5 is behaving like it is the server in the conversation when it is the client, clients are dumb they should just do what they are told....lol :)

0