Forum Discussion

mahjoub's avatar
mahjoub
Icon for Cirrus rankCirrus
Nov 29, 2020

Enableing TLS1.2

Hi Dears, I need to enable and use TLS 1.2 only instead of 1.0 or 1.1, for one specific published server. my BIG-IP version is 12.0 VE. this output may help you  ssl-ciphersuite DEFAULT:!aNULL:...
application delivery
BIG-IP
LTM
  • Mayur_Sutare's avatar
    Mayur_Sutare
    Nov 30, 2020

    Hi mahjoub,

     

    Yes, you can configure it through GUI.

     

    1. You need to create new client SSL Profile - Goto Local Traffic > Profiles > SSL > Client and create new profile.
    2. Under Advance setting, select Custom Cipher Suits to block required TLS/SSL versions. Appending "!" before any TLS/SSL, encryption parameter in cipher string blocks that particular version.
    3. There is one more way to configure same. Under client SSL Advance Configuration, select Options List in Options sections. Then You will get options to enable/disable particular TLS/SSL version. e.g. for blocking TLS1.1, you can enable No TLS1.1 in this section to it will block TLS1.1.

     

    This way you can achieve your requirement. You can refer below F5 articles for more details.

     

    https://support.f5.com/csp/article/K13171

    https://support.f5.com/csp/article/K33000012

     

    Hope it helps!

    Mayur

     

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 29, 2020

You need to create a specific Client-SSL profile for your virtual server

The cipher string should be

'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!TLSv1:!TLSv1_1'

You can also disable TLSv1 and TLSv1.1 Protocol as options in the client-SSL profile to ensure that those protocols cannot be negotiated.

  • mahjoub's avatar
    mahjoub
    Icon for Cirrus rankCirrus
    Nov 30, 2020

    Hi Simon,

    thanks for your reply, I already have the client profile and associated with server, now how to enable TLS 1.2 through GUI.