Forum Discussion

The-messenger's avatar
The-messenger
Icon for Cirrostratus rankCirrostratus
Oct 18, 2018

Disabling TLS v1 and TLS v1.1 Protocol

In reading up on the issue of disabling tls v1/v1.1 I see talk mostly about ciphers. Shouldn't we be disabling the protocol? Is it possible there will be problems in the protocol is enabled but the cipher is disabled? Devcentral has significant information on cipher suites? Is this how we should approach tls, or should we look at the protocol?

 

With LTM, is there a difference in how this is configured?

 

LTM
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 18, 2018

    There are usually different versions of a cipher for each protocol version.

     1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    AES       SHA     ECDHE_RSA 
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES       SHA     ECDHE_RSA 
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES       SHA     ECDHE_RSA

    So disabling a cipher would remove all versions of that cipher. But if you truly want to just disable TLS1 and TLS1.1, you could use a cipher string like this:

    DEFAULT:!TLSv1:!TLSv1_1
  • Jana's avatar
    Jana
    Icon for Altostratus rankAltostratus
    Nov 28, 2018

    Here is an amazing article which explains SSL protocols and ciphers and how to carefully choose them.

    https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564?lc=1

    I prefer using explicit ciphers along with options

    Example:

    ltm profile client-ssl clientssl_custom {
    ciphers !SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES
    options { dont-insert-empty-fragments no-ssl no-sslv2 no-sslv3 no-tlsv1 no-tlsv1.1}
}

    .

    tmm --clientciphers '!SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
 3: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 6: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 8: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 9: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
10: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
11: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
12:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
15:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
17:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
19:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA