Nimbostratus
We are running LTM 10.2.3 with server ssl offload. Some of our clients browsers are running TLS1.2 and our server does not support TLS1.2. I wanted to customize serverside SSL to not use TLS1.2, to decrypt and recrypt with TLS1.1 on server end.
Not sure if this would work.
Regards
Cirrostratus
That sounds like it should work. You should be able to specify separate cipher lists for the client and server SSL profiles:
sol8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
https://support.f5.com/kb/en-us/solutions/public/8000/800/sol8802.html
Aaron
NimbostratusAaron,
Thanks for your response. I guess my question should have been, "does BigIp use the same cipher on the serverside" encrption? I was of the opinion that if a client is connecting with TLS1.2, bigip will decrypt and reencrypt with the "same cipher" (TLS1.2) in its connection with the server. Otherwise, current clients shouldn't have problem connecting with TLS1.2.
Regards
Elias
Nimbostratus
Unfortunately, I don't have test environment to validate this.
Cirrostratus
That seems like it should work. You might want to use 'NATIVE:!TLS1_2:@SPEED'. You can create a test virtual server on your existing LTM to test this. Or you could contact your F5 or partner SE and request an eval key for VE lab edition.
Aaron
Nimbostratus
Cirrostratus
Bug 372901 - MCP validation on SSL cipher string out of sync with tmm
If you're not able to upgrade to 10.2.4 you could check for alternative options with F5 Support.
Aaron
Nimbostratus
Checked the bug ID http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13543.html
I have downloaded 10.2.4 in preparation for upgrade
Elias
Cirrostratus
Thanks, Aaron
Nimbostratus
Regards
Elias