Forum Discussion

richardgamboac1's avatar
richardgamboac1
Icon for Nimbostratus rankNimbostratus
Oct 10, 2019

serverssl and serverssl-insecure-compatible

I just want go deep about these two ssl servers profile, what are the difference?, when to use each one?.

  • Hi richardgamboacordova,

    serverssl {
    	ciphers DEFAULT
    	secure-renegotiation require-strict
    }
     
    serverssl-insecure-compatible {
    	ciphers !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED
    	secure-renegotiation request
    }

    Secure Renegotiation:

    Specifies the method of secure renegotiation for SSL connections. The default is Require Strict. If your configuration requires insecure SSL renegotiation, set this to Request.

    • Request: Specifies the system requests secure renegotiation of SSL connections.
    • Require: Specifies the system requires secure renegotiation of SSL connections. In this mode, the system permits initial SSL handshakes from clients, but terminates renegotiations from unpatched clients. For server SSL renegotiation, this mode works the same as Require Strict.
    • Require Strict: Specifies the system requires strict secure renegotiation of SSL connections. In this mode, the system refuses new SSL connections to insecure servers and terminates existing SSL connections to insecure servers.
    • richardgamboac1's avatar
      richardgamboac1
      Icon for Nimbostratus rankNimbostratus

      Hi eaa,

      Thank you for your response. I have two questions, please.

       

      1. What unpatched clients means? And this field (secure-renegotiation) works for ssl client profiles too?.
      2. If the back-ends servers have an insecure certificate created by itself (iis servers), do F5 needs the back-end servers certificate on server ssl profile or just need the server so-insecure-compatible profile?
      3. thank you!
      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        unpatched means server that don't support secure renegotiation yet. and yes a similar option is available in the client side SSL profile.

         

        with most default server SSL profile the certificate is not checked at all, so that will work by default. the secure renegotiation is not related to the certificate, it is related to renegotiation a session later on.