Forum Discussion

James_Smith_299's avatar
James_Smith_299
Icon for Nimbostratus rankNimbostratus
Jun 04, 2018

Allow TLS1.2 Only

BIG-IP LTM running v12.1.2 HF2. End goal is to allow TLS1.2 only. We tried the steps below but application failed to launch.

 

Followed this guide to reconfigure Client SSL Profile. https://support.f5.com/csp/article/K17370

 

We already have a custom SSL_Custom_Web profile which we updated. 1. Local Traffic >> Profiles >> SSL >> Client >> SSL_Custom_Web >> Configuration >> Advanced. 2. Ciphers text box >> replace DEFAULT with TLSv1_2.

 

Should I have appended TLSv1_2 instead of replacing DEFAULT?

 

application delivery
BIG-IP
LTM
    • James_Smith_299's avatar
      James_Smith_299
      Icon for Nimbostratus rankNimbostratus
      Jun 05, 2018

      Hi Sunny,

       

      That string will allow TLS1.2 protocol and block the following 4 Ciphers? DES 3DES RC4 ADH

       

      My customer's goal is to allow any Cipher that uses TLS1.2. Or is your suggestion in consideration of Win7 / IE11 context?

       

    • Sunny_291145's avatar
      Sunny_291145
      Icon for Nimbostratus rankNimbostratus
      Jun 07, 2018

      Yes this will block those 4 Ciphers and windows servers will block those due to week Ciphers

       

  • Dali_Chauhan_33's avatar
    Dali_Chauhan_33
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2018

    Log in to the Configuration utility.

     

    Navigate to Local Traffic > Profiles > SSL > Client.

     

    Click Create to create a new profile, or click the name of an existing profile to edit it.

     

    For a new profile, under General Properties, type a name.

     

    For Configuration, click Advanced.

     

    For Ciphers, select the Custom check box.

     

    (BIG-IP 13.0.0 and later) Under Configuration, for Ciphers, click Cipher String.

     

    Type the cipher string into the Cipher String box.

     

    For example, the following string configures an SSL profile to use only TLSv1.2 protocol ciphers:

     

    TLSv1_2

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jun 07, 2018

    Rather than removing ciphers supported for the unwanted versions of SSL/TLS, simply disable the support of those insecure protocols.

     

    Within the SSL profile, select from "Options List" the following:

     

    • No SSLv2
    • No SSLv3
    • No TLSv1
    • No TLSv1.1

    .

     

    Keep in mind that there could be a lot of clients out there that do not use TLSv1.2, particularly those used for internal service integration purposes; they are typically lagging behind in maintenance.