Forum Discussion

Tech's avatar
Tech
Icon for Nimbostratus rankNimbostratus
Apr 26, 2024

enable tls1.2 on management interface on F5 ltm running version 10.x

Hi Experts ,

Legacy F5 is having below image and we would like to enable tls1.2 for httpd for management interface so that we can access Web using new browsers.

Sys::Version
Main Package
  Product  BIG-IP
  Version  10.2.4
  Build    817.0
  Edition  Hotfix HF7
  Date     Mon May 20 15:08:56 PDT 2013

We are folllowing stpes mentioned in the "https://my.f5.com/manage/s/article/K40232071" , unfortunately this is for 11.x and above versions.

We are getting below error while changing the ssl to tls1.2.

 

(Active)(tmos)# modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'
01070920:3: Application error for confpp: Syntax OK
Error in cipher list
25658:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:836:
'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1' invalid.
*************************************************************
Apr 26 13:17:23 CEGP001.IN.com confpp[25610]: syntax check command FAILURE for unix_config_httpd returned: '256'
[  OK  ]ing httpd: [  OK  ]

 

your valuable suggestion helps us to fix GUI issues.

 

from the Browser we are getting , 

The connection for this site is not secure

10.70.89.37 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

 

 

 

 

application delivery

2 Replies

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Apr 26, 2024

    First I would run the following command to see what the configuration is.

    list sys httpd

    Next when you end the following I would use the question mark to see what configuration options are available to you. Sadly I do not have access to an F5 appliance with this code version so I cannot provide the specific command. Essentially you need to create the appropriate cipher suite command to do what you want and that changes a bit from version to version.

    modify sys httpd ssl-ciphersuite

    • Tech's avatar
      Tech
      Icon for Nimbostratus rankNimbostratus
      Apr 26, 2024

      Hi Paulius ,

       

      Thank you for your reply.

       

      list sys httpd
      sys httpd {
          allow { 10.41.32.0/255.255.224.0 }
          auth-pam-idle-timeout 36000
          include "
      <LocationMatch \";\">
          Redirect 404 /
      </LocationMatch>
      <LocationMatch \"hsqldb\">
          Redirect 404 /
      </LocationMatch>
          "
          ssl-ciphersuite ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
      }

       

      We have tried below commands but no luck as these commands are for 11.x and above .

       

      To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command:
      modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4-SHA:!SSLv2:-TLSv1:-SSLv3:-TLSv1.1'

      Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:
      modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'