Forum Discussion
Nimbostratusdiscovered that the SSL service on the server did not support the latest TLS 1.2 protocol.
Hi All,
so i got alert message from audit
"discovered that the SSL service on the server www.example.com (x.x.x.x) did not support the latest TLS 1.2 protocol. The weak TLS 1.0 protocol was supported and the insecure SSL 3 protocol was not disabled"
what should i do and check in my f5?
thank you
7 Replies
adithyodw_18563Hi Henrik,
thank you for your reply, anyway PFB for my F5 version.
Sys::Version Main Package Product BIG-IP Version 11.4.1 Build 637.0 Edition Hotfix HF3 Date Fri Jan 17 13:32:07 PST 2014 Kernel Type Linux Release 2.6.32-220.el6.f5.x86_64"discovered that the SSL service on the server www.example.com (x.x.x.x) did not support the latest TLS 1.2 protocol. The weak TLS 1.0 protocol was supported and the insecure SSL 3 protocol was not disabled"so what should i do with the first problem? " SSL service on the server did not support the latest TLS 1.2 and the second i should enable no SSL3?
thank you
Henrik_GyllkranOne resource that I think is really useful is this page that lists the ciphers supported on various versions:
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html?sr=49108706
As you can see if you compare 11.4.1 with later versions is that there are a lot of ciphersuites added after 11.4.1 so while 11.4.1 does support TLS 1.2 I suspect that the rather generic message "id not support the latest TLS 1.2 protocol" is simply referring to some enhancements that they aren't naming. Either way I would consider upgrading the BIG-IP:s for the additional cipher suites.
As for the second problem, yeah I would certainly enable No SSLv3. It's an antiquity by now and if your users experiences problems as a result then they should seriously consider their choices in life as they clearly are using severely outdated browsers.
Brad_ParkerCirrus
Are you talking about SSL on the management interface, httpd? If so you can update the following items to make audit happy by enabling TLSv1.2 and disabling SSLv3.
tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3' tmsh modify sys httpd ssl-ciphersuite 'ECDSA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'Then save the config and restart httpd.
tmsh save sys config bigstart restart httpd- adithyodw_18563
Hi All,
so from F5 asked me to refer to the URL Below :
what my question is, because this box is production environment, can you give more impact analysis if we implement sol15702, there is any impact to user or production env if we enable this fiture? Please advice more.
thank you
- Brad_ParkerAre you trying to disable SSLv3 on the management of the device itself or for virtual servers that you have SSL offload enabled, i.e. you have client SSL profiles.
- adithyodw_18563what my goal is ""discovered that the SSL service on the server www.example.com (x.x.x.x) did not support the latest TLS 1.2 protocol. The weak TLS 1.0 protocol was supported and the insecure SSL 3 protocol was not disabled""
- adithyodw_18563
Hi, any updates?
thank you
