Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Mar 21, 2016

Regarding cipher negotiation for LTM

Hi,

 

Needed suggestion regarding cipher negotiation between LTM and server. As per my understanding when client sends hello it sends all cipher value supported. So in case of serverssl profile I am seeing when LTM sends hello to nodes it only sends TLSv1.2 and since our node supports TLSv1 it is dropping the connection. So ideally if client and server are not able to agree to cipher value LTM should switch to TLSv1.1, then TLSv1 and sslv3, since these ciphers are currently enabled on LTM. But why after LTM sends TLSv1.2 and seeing reset from server not fallback to low supported ciphers. Do we need to make any other changes on LTM side?

 

Also if I configure cipher value something like :TLSv1:TLSv1.1:TLSv1.2 will TLSv1 will take preference over v1.1 and v1.2?

 

Thanks.

 

application delivery
ciphersuites
LTM
serverssl

2 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2016

    A Reset (TCP) from end-server is not a correct SSL/TLS downgrade response. Probably you're using Window Server 2008?

    You can mitigate by enforcing the use of TLSv1.0 on your BigIP serverssl profile. Do not modify the default serverssl profile, but create a new one with your custom settings. When done, apply that custom tlsv1.0-only serverssl profile to your Virtual Server.

    Creating a custom TLSv1.0-only serverssl profile (Local Traffic - Profiles - SSL - Server)

    1) Create a new serverssl profile

    2) Name it as you like, i.e. 
    profile_serverssl_TLSv1-0

    3) Parent Profile - 
    serverssl

    4) Expand the configuration section - 
    advanced

    5) In Cipher configuration, replace 
    DEFAULT
    keyword with 
    TLSv1

    6) Keep the rest as default, unless you have other requirements