Forum Discussion

brepav123_22459's avatar
brepav123_22459
Icon for Cirrus rankCirrus
Mar 07, 2016

Change client TLS version through F5 server connection

Hi all, ive been presented with a challenge from our team here. We have an Oracle system that only supports connections up to TLS version 1.0. However one of the sites Oracle interacts with requires us to use TLS 1.2. Our thought was to use the F5 as a proxy for that connection. From the client (Oracle) to the F5 would be TLS version 1.0, then the connection from the F5 to the server (external website) would be TLS version 1.2. However in the testing ive done the F5 seems to pass through whatever TLS connection the client chooses. I've tested this by navigating to a TLS test page (through the F5) and seeing the server connection show the version as 1.0. Is there any way or trick to make the F5 connection to the server 1.2 then the connection to the client 1.0?

 

Thanks in advance for any and all replies!

 

application delivery
BIG-IP
LTM
tls

3 Replies

Sort By
  • Faruk_AYDIN's avatar
    Faruk_AYDIN
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2016

    Use in client SSL profile TLSv1 and in server SSL profile TLSv1_2. 

    tmsh create /ltm profile client-ssl  ciphers TLSv1


    
tmsh create /ltm profile server-ssl  ciphers TLSv1_2
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Mar 07, 2016

    You will need both a server and client SSL profile similar to what farukaydin put above, but you don't necessarily need to force TLSv1.2 on the client profile nor TLSv1.0 on the server profile. They will negotiate independent of each other as long as you DO NOT select Proxy SSL in the profile. Remember BIG-IP is full proxy from the get go so just applying a client and server SSL profile each SSL connection will be negotiate independently.

     

  • Maskman_58643's avatar
    Maskman_58643
    Icon for Nimbostratus rankNimbostratus
    May 02, 2018

    Hi,

     

    I have exactly the same problem. I want to know if there is something to do in the Oracle application to make him contact the F5 machine to do the job except a routing (route the application to the Gateway of the F5) ?

     

    Thanks in advance. Regards,