SSL Client profile: can't activate SSLv2
We have an Exchange 2010 CAS setup, when we enable SSL offloading, some of our "legacy" clients can't use Outlook Anywhere anymore. We suspect the old clients can't agree on a cipher with the F5.
I ran sslscan towards the CAS server: Testing SSL server CAS_server on port 443 Supported Server Cipher(s): Accepted SSLv2 168 bits DES-CBC3-MD5 Accepted SSLv2 128 bits RC4-MD5 Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5
With the "DEFAULT" Cipher on our F5 (v10.2.4) it looked exactly the same, except for the 2 lines with "SSLv2", these were missing in the sslcan of our vserver. We've tried all kinds of Ciphers in the SSL client profile, but we can't seem to activate any SSLv2 Cipher.
For example, with "ALL:+SSLv2:+DH:+ADH:+EDH:@SPEED", we have this: Testing SSL server F5_vserver on port 443 Supported Server Cipher(s): Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 56 bits DES-CBC-SHA Accepted SSLv3 40 bits EXP-DES-CBC-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 40 bits EXP-RC4-MD5 Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5
All kinds of flavours, but not the specific SSLv2 we want. Does someone have an idea how we can activate the Ciphers " SSLv2 168 bits DES-CBC3-MD5" and "SSLv2 128 bits RC4-MD5"??
Thanks, Joeri