Forum Discussion

Doran_Lum_13484's avatar
Doran_Lum_13484
Icon for Nimbostratus rankNimbostratus
Oct 08, 2016

How to check if TLS 1.0 is enabled

Hi all i'm running F5 LTM VE 12.0 and i'm wondering how do i know if TLS 1.0 is enabled for my ssl client and server profiles. I left most config as default except the certs.

 

application delivery
BIG-IP
LTM
ssltls
  • TayF5un's avatar
    TayF5un
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2016

    Hi, you can find the default cipher list in the link which is https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

     

    If you have question, i want to help you

     

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2016
    • (Config check method) Replace DEFAULT with the actual cipher string in your clientssl profile (or serverssl profile)

    In BigIP BASH shell:

     

    tmm --clientciphers "DEFAULT"
tmm --serverciphers "DEFAULT"

     

    If any lines of the output include PROT = TLS1, it's enabled, otherwise not.

    If output contains cURL (35) error code, TLSv1 is not available.

    • In case of publicly available web-sites, you can use many of the available online SSL-checkers (https://www.digicert.com/help, Qualys, Symantec...)
    • Josh_Jacobson_4's avatar
      Josh_Jacobson_4
      Icon for Altostratus rankAltostratus
      Oct 10, 2016

      One caveat for this: make sure to enclose the cipher string in single quotes if it has an exclamation point in it. SOL15194 has a great deal more info.

       

  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Oct 10, 2016

    You can always verify by using nmap against one of your virtual servers using the SSL profile in question.

     

    Download NMAP Then run:

     

    nmap --script ssl-enum-ciphers -p 443 www.mysite.com

     

    -p indicates the port the server is listening on. You can point it to a FQDN for an ip address.