Forum Discussion

aandreyy_293459's avatar
aandreyy_293459
Icon for Nimbostratus rankNimbostratus
Mar 21, 2018

A Lot more failures after TLS1.0 disable

HI all

 

maybe someone had similar issue and can offer some work around. After disabling TLS1.0 for existing SSL profile i can see much more failures in statistic:

 

Failures

 

Premature Disconnects0

 

Handshake Failures49.1K

 

Renegotiations Rejected0

 

Fatal Alerts10.1K

 

in tcpdump i can see layer 2 problem (that is strange how SSL profile setting can effect that):

 

 

before LTM we have firewall with nat, believe need modify some L2 settings but in the same VLAN we still have profiles with TLS1.0 working and it has a lot less failures (~0.1% if we compare with all connections on profile). TLS1.0 disabled profiles has 15-20% failures if we compare with all connections to SSL profile.

 

thanks for any ideas

 

application delivery
LTM

3 Replies

Sort By
  • Srini_87152's avatar
    Srini_87152
    Icon for Cirrostratus rankCirrostratus
    Mar 22, 2018

    hi,

     

    F5 dont have any control on upstream devices on which protocol they should communicate , if we block tls1.0 ,upstream device might still communicating on tls1.0 causing high failures.

     

    upstream devices/server/user browser should upgarde the tls version.

     

    Thx

     

    Srini

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 23, 2018

    How did you disable TLS 1.0

     

    I had a weird behavior when I tried to disable TLS 1.0 in version 12.1.2.

     

    when I enabled No TLSv1 in Options List, it disabled TLS 1.1 and let TLS 1.0 enabled.

     

    Can you scan with SSL LABS your server to see if this is the same behavior?

     

  • aandreyy_293459's avatar
    aandreyy_293459
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2018

    Hi I disabled TLS by changing cipher string value in ssl profile. Also scanned site in ssllabs no TLS1.0 for sure. Actually there are no complains from enyone (who suppor higher tls versions) that there are any problem just want be sure those errors nothing serious before going with tls1.0 disable to live.