Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Riverbed not supporting TLS1.2 connections

When using Riverbed SDN you may find that even though your client supports TLS 1.2 and your LM is set to TLS 1.2 the TCP dump will show the connection in TLS 1.0. this is because the SDN software Riverbed is using TLS 1.0 only unless the following changes are applied

All versions of RiOS starting 8.6 onward do indeed support TLSv1.2 however it is not enabled by default.

You will need to enable this feature using CLI - Please be advised that a service restart will be needed. You can do it with the following:

You will need to add these on both server and client side steelheads:

Steelhead (config) # protocol ssl backend client-tls-1.2 

Steelhead (config) # write mem 

Steelhead (config) # service restart 

Enables TLSv1.2 support between the SSL server and the Server Side SteelHead (S-SH) (not used to optimize client TLS 1.2 connections)

Steelhead (config) # protocol ssl backend server-tls-1.2 

Steelhead (config) # write mem

Enables TLSv1.2 support for secure peering between Steelheads

Steelhead(config) # secure-peering peer-tls-1.2

Under normal circumstances, the Server-SH intercepts the 'Client Hello' sent from the Client and sends a new 'Client Hello' to the Server. In RiOS versions prior to 9.0, the 'Client Hello' generated by S-SH will always be SSLv3, which means it cannot negotiate TLS 1.2 ciphers. To get around this problem, Adaptive Handshake must be enabled for SteelHeads running a release earlier than 9.0.

Adaptive Handshake means that when the Server-SH sends the new 'Client Hello', it uses the SSL protocol version of the 'Client Hello' it received. So if Server-SH received a TLS 1.2 Client Hello, it will send a TLS 1.2 Client Hello to the Server.

Adaptive Handshake can be enabled/disabled on the S-SH with the CLI command:

[no] protocol ssl backend adaptive-hs 

>> No service restart is required.

TLS 1.1/1.2 must be enabled in order to use the TLS 1.2 ciphers below. They were added to the CLI and WebUI.







Was this article helpful?
0 out of 0 found this helpful