Forum Discussion

cofotony's avatar
cofotony
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

SSLv2 Compatible Client Hello - v10.2.4 - is it possible not to send this format in a monitor??

https://devcentral.f5.com/questions/1024-lotus-domino-web-server-sslv2-compatible-client-hello

 

My query is essentially the same as the above, query 2). We've an LTM trying to monitor a pool of JVMs, the JVMs are set to only accept tlsv1-1.2 and are rejecting the SSLv2 compatible client hello even though it contains tlsv1.0.

 

If I try an openssl connection and add a -no_ssl2 at the end I connect, no problems. But if I amend the cipher list in the https monitor the LTM still sends the sslv2 compatible hello. Has anyone come across this before and figured out a workaround? Upgrading isn't an option.

 

Thanks, Tony.

 

application delivery
LTM

1 Reply

Sort By
  • cofotony's avatar
    cofotony
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2017

    In case anyone has the same issue, I found an answer eventually. There is a SSLv2Hello protocol that is disabled by default on newer software revisions. In my case it was Java 1.7 (whereas Java 1.6 it's enabled by default).So the LTM sends a sslv2 compatible hello, which in my case is a tls1.0 hello encapsulated in a sslv2 packet (or something along those lines) and unless the sslv2hello protocol is allowed this will be rejected. Even when we allowed sslv2 completely the hello was being rejected.

     

    There are some details in the link below, but in case you don't have a login:

     

    https://access.redhat.com/solutions/1254343

     

    For example, on EAP 6: Raw or on EAP 7: Raw