Bug ID 583631: ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1

Fixed In:
12.1.0 HF1, 12.1.0, 11.5.4 HF2

Opened: Mar 29, 2016
Severity: 1-Blocking


Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.


The connection fails. The system might generate an alert.


A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.


Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix Information

When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change

Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.