Forcing the use of tls1.2

Question

Hi,I want to disable all but tlsv1.2 and also want to disable  the use of DHE.&nbsp;Would just typing the following in ciphers list of a client profile will be enough?TLSV1_2:!DHE&nbsp;Please let me know what you think.&nbsp;Thanks

nag · Answer

Hi Qasim,&nbsp;Yeah, its a typo.. it should be DHE.&nbsp;#tmm&nbsp;-clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DHE'&nbsp;If it answered your question, could you mark it as resolved please &nbsp;Thank you,Nag

youssef1 · Answer

HI Qasim,&nbsp;You have to set your ssl profil like that:DEFAULT:!3DES:!DHE&nbsp;Then in order to allow only TLS1.2 you can do it using the GUI:&nbsp;&nbsp;keep me in touch if you need more details.&nbsp;regards

nag · Answer

HI Qasim,&nbsp;Here is the cipher string you can use:&nbsp;default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH&nbsp;Hope this helps.&nbsp;YOu can check on all the supported ciphers using following command.&nbsp;#tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH'&nbsp;&nbsp;Hope this helps. Let me know if you have any questions.&nbsp;Nag

qasim · Answer

HI,thank you for your swift response that much appreciated.Wondering if the !DEH is a typo and that should be !DHE?​Also, what if I was to only allow the following suites for a particular VS:: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA

qasim · Answer

hi Yousef.&nbsp;that was very helpful and yes it worked. thank you for your help.

Forum Discussion

Forcing the use of tls1.2

Recent Discussions

Big-IP not recognized by Big-IQ

UCS backup not loading Big IP DNS pool

Application only need to access from 2 uris

XC Bot defense question

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Enableing TLS1.2

What are You a Force For?

Brute Force protection for single parameter like OTP

HTTP Brute Force Mitigation Playbook: Bot Profile for Brute Force Mitigations - Chapter 5

HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS