Forcing TLSv1_2 in the SSL Server Profile

Question

Is it possible to configure SSL Server Profile so connectins from bigip started with TLSv1_2 ?&nbsp;
I tried to put in a ciphers field: TLSv1_2, but connections are still TLSv1, although in the client hello packet the proposed version is TLS1.2. 
Unfortunately some servers just reset all connections, if are not TLS1.2.&nbsp;

keesvandenbos · Answer

Did you disable TLS1.0 and 1.1 in the options field??&nbsp;
Possible protocol negation options are No DTLS, No SSL, No SSLv2, No SSLv3, No TLS, No TLSv1, No TLSv1.1, and No TLSv1.2.&nbsp;
Cheers,&nbsp;
Kees&nbsp;

ssharrett2018_3 · Answer

Have you tried this in ciphers:
DEFAULT:!DHE:!3DES:!TLSv1:!TLSv1_1&nbsp;

kai_wilke · Answer

Hi Piotr,
develop a cipher string that meets your security requiremend by using the command below... 
[root@f501:Active:Standalone] config  tmm --serverciphers "AES-GCM:-TLSv1:-TLSv1_1:-DTLSv1:@STRENGTH"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 1: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA  
 2:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 4: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
 5:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA   
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS   
 7:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH       
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
 9: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA  
10:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
11: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
12: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
13:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA   
14:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS   
15:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM   SHA256  ADH       
[root@f501:Active:Standalone] config

... then use the cipher string within your Server SSL Profile. Its has to work and it will work for you... 😉
Cheers, Kai

youssef_100679 · Answer

Hi,&nbsp;
You can force tls1.2, on the other hand if the client does not support tls1.2,  it risks to receive a reset...&nbsp;
So in order to force tls1.2 follow the below steps:&nbsp;
open your ssl client profile.move configuration from basic to advanced in order to see all functionnalityCheck "Options" -&gt; "Options List"Then from "Available Options", remove TLS, TLS1, TLS1.1
the only alternative that the client will have is the tls1.2.&nbsp;
Regards&nbsp;

Forum Discussion

Forcing TLSv1_2 in the SSL Server Profile

4 Replies

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

HTTP Brute Force Mitigation Playbook: Bot Profile for Brute Force Mitigations - Chapter 5

Brute Force protection for single parameter like OTP

What are You a Force For?

SSL Profiles

Server Profile SNI