Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.4, 11.5.4 HF1
Fixed In:
12.1.0 HF1, 12.1.0, 11.5.4 HF2
Opened: Mar 29, 2016 Severity: 1-Blocking
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
The connection fails. The system might generate an alert.
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.