Hi all,Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.Thank you in advance,

try this irule: when CLIENT_ACCEPTED { SSL::profile vip_ssl_no_TLSv1} where vip_ssl_no_TLSv1 is another SSL profile where you disable whatever you want. I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

Cpet

Altocumulus

Feb 22, 2023

Solved

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Hi all,

Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.

Thank you in advance,

cloud

devops

security

mihaic
Feb 22, 2023
try this irule:

when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}

where vip_ssl_no_TLSv1 is another SSL profile where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

8 Replies

mihaic
MVP
Feb 22, 2023
here is a link that shows you how,:

https://support.f5.com/csp/article/K33000012

you do it from SSL CLient profile.
- Cpet
  Altocumulus
  Feb 22, 2023
  Hi Mihaic,
  Thanks for your responce.
  I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?
  - P_Kueppers
    MVP
    Feb 22, 2023
    Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server.

mihaic

MVP

Feb 22, 2023

Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.

You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:

when CLIENTSSL_CLIENTHELLO {
    if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
        reject }
    else
    {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
    }

}

Cpet
Altocumulus
Feb 22, 2023
In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
I will try the suggested irule.
Thanks

mihaic
MVP
Feb 22, 2023
try this irule:

when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}

where vip_ssl_no_TLSv1 is another SSL profile where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1
- Cpet
  Altocumulus
  Feb 22, 2023
  It works!
  Thank you for your support.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

How to disable only TLS v1 & TLS v1.1 on specific virtual server

8 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Big-IP LTM integration with Big-IP DNS in Azure

Cannot ping external interface

HA Failover between two Datacenters

What does session_id = 0 means in ASM session tracking?

Extend capacity of the blade on Velos

Related Content

Disabling Specific Weak Cipher Suites

Failover for specific virtual server

APM-Specific Features for Securing Your Website

Rest API to disable virtual server

Regional Edge Resiliency Zones and Virtual Sites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS