Forum Discussion

ADALL_190792's avatar
ADALL_190792
Icon for Nimbostratus rankNimbostratus
Mar 05, 2015

SSLv3 to TLS 1.x Proxy

Hoping to find out if this is possible. We have a server that is only SSLv3 compatible and due to compliance reasons we must use TLS 1.x. Is it possible to use the F5 as a proxy in the situation to terminate the connection from the client and BIG-IP to connect with TLS 1.x? What's the best path? BIG-IP is 10.0.1. Thanks

 

internal server SSLv3---> BIG-IP as proxy ---TLS 1.x---> Firewall ----> external service

 

3 Replies

  • To clarify, you have a SSL "client" that only speaks SSLv3 and must be able to speak to a TLS-only service? Or do you have a typical client and a server that can only speak SSLv3? Your ascii diagram makes this slightly unclear.

     

    If you mean the typical scenario, this certainly is possible. You would configure the virtual server for SSL Bridging mode, with both a client-ssl profile and server-ssl profile. Configure the client-ssl profile to disable SSLv3 and whatever other modifications you need. The server-ssl profile usually can be left at default values and it should work with most servers.

     

  • Ok. In that case, a simple method of proxying this connection could be to add the remote TLS-only server as a node behind a virtual service that the SSLv3-only client has access to. The client-ssl profile on this virtual would support SSLv3, and the server-ssl profile would disable SSLv3.

     

    There are some caveats with this approach. If you don't have administrative control over the remote server, you will have to create your own SSL certificate and key with whatever the name of the TLS-only server is, and install it in the client-ssl profile. The client will have no direct knowledge of the validity of the certificate on the TLS-only server. If you do have control over the other server and it has a valid SSL certificate, I recommend installing it on your BIG-IP and attach it to the client-ssl profile.

     

    If validating the remote server's certificate is important to you, you should read the "Trusted Certificate Authorities" section of SOL11220