How to disable TLS_FALLBACK_SCSV extension?

Question

Is there a way to disable the fallback protection for TLS. &nbsp;
it makes SWG almost unusable?
just logs full of 
Connection error: ssl_select_suite:5835: TLS_FALLBACK_SCSV with a lower protocol (86)&nbsp;

brad_parker · Answer

I do not believe there is an option to disable it on software versions that have it. Question would be, why are your clients trying to change their SSL version to a lower version after agreeing on the protocol?

andrew_c1 · Answer

I am trying to make SWG "go". but having lots of issues with TLS, i have only been packet caping the F5 to end server side but on all sites that are failing there is a protocol reneg requested. On the client side of the F5 we dont even get to SSL neg because the F5 to server fails first ( this is explicit proxy so F5 getting a proxy CONNECT).&nbsp;
If i modify the SSL profile i can find a configuration that will work with any particular site but then it will break other sites so i cant win.&nbsp;
It seems to me like the F5 is behaving like it is the server in the conversation when it is the client, clients are dumb they should just do what they are told....lol :)&nbsp;

Forum Discussion

How to disable TLS_FALLBACK_SCSV extension?

2 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

F5 CIS, TLS Extensions, and troubleshooting

POODLE and TLS_FALLBACK_SCSV deep dive

TLS_FALLBACK_SCSV and tmsh syntax for disabling SSLv3

add /browerWeb Extension after domain name

Configuring AWS HA Failover Across AZs Without EIPs Using F5 Cloud Failover Extension (CFE)