SSLv2/SSLv3

Question

Hi, we're running LTM v12.0.   Since some legacy applications only support only SSLv2/SSLv3, we try to take away !SSLv2 and -SSLv3 in default cipher list as following:&nbsp;
!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:-MD5:-RC4&nbsp;
However, seems SSLv2 is not offered (through some SSL tester).   Finally we have to make the cipher list as something like that "COMPAT+SSLV2:SSLV3:TLSV1:TLSV1_1:TLSV1_2" (the VS is also used by some newer applications that supports TLSv1.1 and TLSV1.2.&nbsp;
Would like to know if there is a "less insecure" way to setup SSL client profile with such requirement?&nbsp;
Thanks a lot.
Regards&nbsp;

kevin_stewart · Answer

Please take a look at the following:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html&nbsp;
There are two important pieces of information to glean from this document.&nbsp;
The COMPAT stack was completely removed in 12.012.0 does not include support for SSLv3 in the remaining NATIVE stack
Therefore to get SSLv3 support, you'll need to use 11.6.1 and below, and to get SSLv2 support, you'll need 11.6.0 and below. I would however implore you to NOT do this. SSLv2 and SSLv3 were removed from the box for very good reasons.&nbsp;

Forum Discussion

SSLv2/SSLv3

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

SSL client profile with no TLSv1 , No SSLV2 & No SSLv3 ?

report for sslv2 and sslv3

SSL Protocol Stats for SSLv2, SSLv3, TLS1.1 ad TLS1.2 connections with source

purpose of cipher set to DEFAULT and 'no-sslv2 no-sslv3' in options

Re: CVE-2014-3566: Removing SSLv3 from BIG-IP