Forum Discussion

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Jun 22, 2023

F5 APM Check Domain Membership

Hi all, When it comes to validate a computer before give access to the corporate network it seems obvious and mandatory to check if it is part of the active directory, the way it is done on F5 APM t...
security
McKinley's avatar
McKinley
Icon for Nimbostratus rankNimbostratus
Jul 03, 2023

To disable TLSv1.0 and TLSv1.1 for the device SSL certificate on an F5 device, you can follow these steps:

Access the F5 device's command-line interface (CLI) using SSH or console access.

Log in with appropriate administrative credentials.

Once logged in, enter the following command to access the device's configuration utility:

tmsh

Next, run the following command to modify the device certificate's SSL profile:

modify sys ssl-cert <certificate-name> defaults-from <existing-ssl-profile>

Replace <certificate-name> with the name of the device certificate you want to modify, and <existing-ssl-profile> with the name of the SSL profile from which you want to inherit settings. This could be an existing SSL profile or a custom SSL profile you have previously created.

After executing the previous command, you will be in the context of the modified certificate. Run the following command to access the SSL profile associated with the certificate:

modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> profile

Replace <cert-key-list-name> with the name of the certificate key list associated with the device certificate.

Finally, run the following command to disable TLSv1.0 and TLSv1.1 for the device certificate:

modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers <ciphers>

Replace <ciphers> with the list of ciphers you want to use for the device certificate, excluding the ones that support TLSv1.0 and TLSv1.1. You can specify a comma-separated list of ciphers.

For example, a sample command to disable TLSv1.0 and TLSv1.1 and enable only TLSv1.2 and TLSv1.3 might look like this:

modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

Save the changes and exit the CLI.                                   YourTexasBenefits Login

By following these steps, you can disable TLSv1.0 and TLSv1.1 for the device SSL certificate on your F5 device. Remember to replace the placeholder values with the appropriate names and settings for your specific environment.