« Groovy Script: HTTP Builder Get Example | Main | Upcoming SpringSource Webinar: Apache Reverse Proxy Secrets »

04/28/2009

BigIP: Enabling SSLv2

Let me begin by saying that there has to be an extremely good reason for needing to do this because Disabling SSLv2 has been a best practice for a while now. But, if you are in the middle of migrating SSL termination from some older sites to a BigIP LTM and there are reports that older clients can no longer connect to a site and you can't convince your business partners that keeping SSLv2 disabled post-migration is a good thing, then enabling SSLv2 on a VIP managed by your BigIP is surprisingly easy.

The first thing to do is realize that in the technology world we live in, not only do we have multiple words and phrases that mean the same thing (i.e. "session persistence", "session affinity", "sticky sessions") but we also have common words and phrases that have different meaning depending upon the product or technology, (i.e. "cluster").

Take, for example, the word "ALL" when used in the context of SSL. In the Apache web server world, "ALL" means SSLv2, SSLv3, and TLSv1. In the BigIP world, "ALL" means SSLv3 and TLSv1. To enable sslv2 on your apache servers, you do nothing. The default behavior for SSLProtocol All means "all". To enable SSLv2 on a particular VIP in your BigIP, you edit the SSL Client Profile for that site and change Ciphers from Default to ALL:SSLv2. If you have followed my advice from a previous post on disabling sslv2 and weak ciphers on a bigip, you'll change ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW to ALL:!ADH:SSLv2:!EXPORT40:!EXP:!LOW (removing the exclamation point in front of SSLv2). This will enable SSLv2 but still keep those weak and null ciphers disabled.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c0115722883c1970b

Listed below are links to weblogs that reference BigIP: Enabling SSLv2:

Comments