Symptoms

When configuring COMPAT ciphers in ServerSSL profile and using Camellia ciphers to perform SSL connection with the backend server, bigip will initiate the client-hello with SSLv2 to the server, which is not supported by Camellia ciphers. If the server side is unable to handle it and ask for the right SSL version, it will stop the SSL handshake process.

Impact

Can't start the SSL connection.

Conditions

1. When configuring COMPAT mode and using Camellia ciphers to connect with the backend server; and 2. When the backend server is performed by openssl and has protocol name specified, or other servers that can't handle sslv2 client-hello.

Workaround

When using Camellia ciphers in COMPAT mode, please configure "No SSLv2" in the serverSSL profile options List.

Fix Information

None

Behavior Change