Disabling TLS v1 and TLS v1.1 Protocol

Altostratus

Nov 28, 2018

Here is an amazing article which explains SSL protocols and ciphers and how to carefully choose them.

https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564?lc=1

I prefer using explicit ciphers along with options

Example:

ltm profile client-ssl clientssl_custom {
    ciphers !SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES
    options { dont-insert-empty-fragments no-ssl no-sslv2 no-sslv3 no-tlsv1 no-tlsv1.1}
}

tmm --clientciphers '!SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
 3: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 6: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 8: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 9: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
10: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
11: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
12:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
15:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
17:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
19:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA

Forum Discussion

Disabling TLS v1 and TLS v1.1 Protocol

F5 Academies Are Back – And We’re Coming to a City Near You

Introducing the F5 Application Study Tool (AST)

Recent Discussions

Best practice for network communication with LDAP server

Mutual TSL Between Two BigIPs

Question regarding F5 Viprion Configuration Migration to VE.

Big-Ip Edge Client specials characters problems

Which encyrtion algorithm is used when making Kerberos ticket encyrtion.

Related Content

F5 MCP(Model Context Protocol) Server

Proxy Protocol v2 Initiator

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Proxy Protocol Initiator

Proxy Protocol Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS