AltocumulusHi, we have a SSL VIP that currently only supports TLS1.2 (via ciphers) anything else will fail which is great. We are launching a new public website soon that we would like older clients to be able to fall back eg. tls 1.1 or 1.0 if they dont have current browsers. Is it possible to do this and in a way we dont leave ourselves vulnerable? Thanks.
NimbostratusSince the TLS handshake happens before the request and we can tell what type of browser this is, we can't really say what type of browsers are allowed to use which ciphers. I suppose you could set up an iRule to examine the request and force a renegotiation with a different profile but that will be a bit unwieldy I think. I think sooner or later you just have to make a decision to not support older and insecure browsers.