Is there a wasy to force TLS version?

Question

I have a group of servers that will ont negotiate SSL with LTM, when client goes through VS. Client can connect directly to the server OK, and https monitors have no problem.
When I ssldump going directly to the server, this is what I get:
New TCP connection 2: 10.clientnet.218(13181) &lt;-&gt; 10.servernet.52(443)
2 1  1449523870.9851 (0.0013)  C&gt;SV3.1(160)  Handshake
  ClientHello
    Version 3.3 
    random[32]=
      e4 84 88 5b 3d 3f a8 76 d7 4b 3a 41 c8 bb c2 54 
      70 94 8f 78 95 f9 1c 67 fa 00 47 44 da fb 95 a2 
    cipher suites
    Unknown value 0xc02b
    Unknown value 0xc02f
    Unknown value 0xc00a
    Unknown value 0xc009
    Unknown value 0xc013
    Unknown value 0xc014
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    compression methods
              NULL

1449523870.9870 (0.0019)  S&gt;CV3.3(3924)  Handshake
  ServerHello
    Version 3.3 
    random[32]=
      56 65 fa 9e 28 03 10 41 47 99 f3 2f a5 f5 50 7c 
      7b 20 76 44 d5 aa 42 d4 6f db e9 d9 ff 20 4b 51 
    session_id[32]=
      f2 26 00 00 5e fe 30 ea 51 c5 24 ba 30 a0 bc a6 
      6a 9c 3d f2 c7 5b aa 2f 0d 64 0e e9 43 6e b0 4a 
    cipherSuite         TLS_RSA_WITH_AES_128_CBC_SHA
    compressionMethod                   NULL
  Certificate
  ServerHelloDone
  and away it goes...

But when accessed through the VS, This what I get:

New TCP connection 1: 10.clientnet.218(14788) &lt;-&gt; 10.servernet.52(443)

1449526121.5277 (0.0005)  C&gt;SV3.3(79)  Handshake
  ClientHello
    Version 3.3 
    random[32]=
      6b 25 aa 28 ee 9d 9f bc 17 3a 4c 14 4f 08 fd 9e 
      fb ac 31 ba 4e 53 45 0e 56 74 61 31 66 2a 96 02 
    cipher suites
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    Unknown value 0xc013
    Unknown value 0xc014
    Unknown value 0xc012
    Unknown value 0xff
    compression methods
              NULL
1449526121.5285 (0.0007)  S&gt;C  TCP RST     and that is game over...

So the difference SEEMS to be C&gt;SV3.1 and C&gt;SV3.3, which I assume is TLS1.2 version 3.1 and 3.3
I have the server-side ssl profile cipher list set to "ALL".
Any suggestions would be greatly appreciated.

hannes_rapp · Answer

If you change your SSL serverside profile cipher conf to TLSv1_2, you can make your F5, acting as a client only establish SSL handshake if your application server supports at least one of the TLSv1.2 cipher suites below. If server does not support TLSv1.2, F5 will tear down serverside TCP connection. Despite explicit TLSv1.2, the list has some weak suites in it, you might want to adjust it a little further.
 tmm --serverciphers "TLSv1_2"
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
 7:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA
 8:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
10:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES     SHA     DHE/DSS
12:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM  SHA384  ADH
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES     SHA     ECDH_RSA
18: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES     SHA     ECDH_ECDSA
19:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
20:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
21:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
22: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
23: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
24:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.2  Native  DES     SHA     EDH/RSA
25: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
26: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
27:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
28: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
29: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
30: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
31: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
32: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
33: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
34:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  DHE/DSS
35:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA
36:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  EDH/RSA
37:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  DHE/DSS
38:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
39:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES     SHA     DHE/DSS
40:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM  SHA256  ADH
41: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM  SHA256  ECDH_RSA
42: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM  SHA256  ECDH_ECDSA
43: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES     SHA256  ECDH_RSA
44: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES     SHA256  ECDH_ECDSA
45: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES     SHA     ECDH_RSA
46: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES     SHA     ECDH_ECDSA
47:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
48:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
49:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
50:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
51:     4  RC4-MD5                          128  TLS1.2  Native  RC4     MD5     RSA
52:    21  DHE-RSA-DES-CBC-SHA               64  TLS1.2  Native  DES     SHA     EDH/RSA

hannes_rapp_162 · Answer

If you change your SSL serverside profile cipher conf to TLSv1_2, you can make your F5, acting as a client only establish SSL handshake if your application server supports at least one of the TLSv1.2 cipher suites below. If server does not support TLSv1.2, F5 will tear down serverside TCP connection. Despite explicit TLSv1.2, the list has some weak suites in it, you might want to adjust it a little further.
 tmm --serverciphers "TLSv1_2"
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
 7:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA
 8:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
10:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES     SHA     DHE/DSS
12:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM  SHA384  ADH
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES     SHA     ECDH_RSA
18: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES     SHA     ECDH_ECDSA
19:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
20:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
21:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
22: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
23: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
24:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.2  Native  DES     SHA     EDH/RSA
25: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
26: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
27:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
28: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
29: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
30: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
31: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
32: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
33: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
34:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  DHE/DSS
35:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA
36:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  EDH/RSA
37:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  DHE/DSS
38:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
39:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES     SHA     DHE/DSS
40:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM  SHA256  ADH
41: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM  SHA256  ECDH_RSA
42: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM  SHA256  ECDH_ECDSA
43: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES     SHA256  ECDH_RSA
44: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES     SHA256  ECDH_ECDSA
45: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES     SHA     ECDH_RSA
46: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES     SHA     ECDH_ECDSA
47:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
48:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
49:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
50:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
51:     4  RC4-MD5                          128  TLS1.2  Native  RC4     MD5     RSA
52:    21  DHE-RSA-DES-CBC-SHA               64  TLS1.2  Native  DES     SHA     EDH/RSA

ots02 · Answer

Thank you Hannes Rapp. I tried that, and does not help. It is the server (Windows 2008) that is sending the reset. I wish I knew where to view the SSL logs in Windows - it seems they should give some reason for the immediate reset.

ots02 · Answer

Thank you Hannes Rapp. I tried that, and does not help. It is the server (Windows 2008) that is sending the reset. I wish I knew where to view the SSL logs in Windows - it seems they should give some reason for the immediate reset.

ots02 · Answer

Wait a minute! I made the server-side SSL profile cipher string = 'TLSv1' only AND IT WORKS! &nbsp;
I'm so stinkin happy.&nbsp;
You would think that 'All" would work, since the server should negotiate down to TLS 1.0 (like the other WIN 2008 servers do). Hannes Rapp, I thank you!&nbsp;

Forum Discussion

Is there a wasy to force TLS version?

5 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

What are You a Force For?

Brute Force protection for single parameter like OTP

AWAF version 15.1.8.1 does not support Brute Force as one of the attacks for Delayed Blocking

TMOS Version Update Paths

Big IP version 12 API