Forcing TLSv1_2 in the SSL Server Profile

Question

Is it possible to configure SSL Server Profile so connectins from bigip started with TLSv1_2 ?&nbsp;
I tried to put in a ciphers field: TLSv1_2, but connections are still TLSv1, although in the client hello packet the proposed version is TLS1.2. 
Unfortunately some servers just reset all connections, if are not TLS1.2.&nbsp;

keesvandenbos · Answer

Did you disable TLS1.0 and 1.1 in the options field??&nbsp;
Possible protocol negation options are No DTLS, No SSL, No SSLv2, No SSLv3, No TLS, No TLSv1, No TLSv1.1, and No TLSv1.2.&nbsp;
Cheers,&nbsp;
Kees&nbsp;

ssharrett2018_3 · Answer

Have you tried this in ciphers:
DEFAULT:!DHE:!3DES:!TLSv1:!TLSv1_1&nbsp;

kai_wilke · Answer

Hi Piotr,
develop a cipher string that meets your security requiremend by using the command below... 
[root@f501:Active:Standalone] config  tmm --serverciphers "AES-GCM:-TLSv1:-TLSv1_1:-DTLSv1:@STRENGTH"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 1: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA  
 2:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 4: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
 5:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA   
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS   
 7:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH       
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
 9: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA  
10:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
11: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
12: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
13:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA   
14:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS   
15:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM   SHA256  ADH       
[root@f501:Active:Standalone] config

... then use the cipher string within your Server SSL Profile. Its has to work and it will work for you... 😉
Cheers, Kai

youssef_100679 · Answer

Hi,&nbsp;
You can force tls1.2, on the other hand if the client does not support tls1.2,  it risks to receive a reset...&nbsp;
So in order to force tls1.2 follow the below steps:&nbsp;
open your ssl client profile.move configuration from basic to advanced in order to see all functionnalityCheck "Options" -&gt; "Options List"Then from "Available Options", remove TLS, TLS1, TLS1.1
the only alternative that the client will have is the tls1.2.&nbsp;
Regards&nbsp;

Forum Discussion

Forcing TLSv1_2 in the SSL Server Profile

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

What are You a Force For?

DoS Profiles

Force BotDefense Captcha on Specified URL

ASM Brute-Force - Common Username

HTTP Brute Force Mitigation Playbook: Appendix

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS