Bug ID 583631: ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0 HF1, 12.1.0, 11.5.4 HF2

Opened: Mar 29, 2016

Severity: 1-Blocking

Symptoms

Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Impact

The connection fails. The system might generate an alert.

Conditions

A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Workaround

Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix Information

When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change

Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips