Forum Discussion
PiotrL
Cirrus
CirrusForcing TLSv1_2 in the SSL Server Profile
Is it possible to configure SSL Server Profile so connectins from bigip started with TLSv1_2 ?
I tried to put in a ciphers field: TLSv1_2, but connections are still TLSv1, although in the client...
Kai_Wilke
MVP
MVPHi Piotr,
develop a cipher string that meets your security requiremend by using the command below...
[root@f501:Active:Standalone] config tmm --serverciphers "AES-GCM:-TLSv1:-TLSv1_1:-DTLSv1:@STRENGTH"
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA
2: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
3: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA
4: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA
5: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
6: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS
7: 167 ADH-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ADH
8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
9: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA
10: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
11: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA
12: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA
13: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA
14: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS
15: 166 ADH-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ADH
[root@f501:Active:Standalone] config
... then use the cipher string within your Server SSL Profile. Its has to work and it will work for you... 😉
Cheers, Kai