Forum Discussion

Cpet's avatar
Cpet
Icon for Altocumulus rankAltocumulus
Feb 22, 2023

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Hi all,

Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.

Thank you in advance,

cloud
devops
security
  • mihaic's avatar
    mihaic
    Feb 22, 2023

    try this irule:

    when CLIENT_ACCEPTED {
        SSL::profile vip_ssl_no_TLSv1
    }

     where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

    I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Feb 22, 2023

    Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.

    You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:

    when CLIENTSSL_CLIENTHELLO {
        if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
            log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
            reject }
        else
        {
            log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
        }

    }

     

    • Cpet's avatar
      Cpet
      Icon for Altocumulus rankAltocumulus
      Feb 22, 2023

      In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
      I will try the suggested irule.

      Thanks

    • Cpet's avatar
      Cpet
      Icon for Altocumulus rankAltocumulus
      Feb 22, 2023

      Hi Mihaic,

      Thanks for your responce.
      I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?

       

      • P_Kueppers's avatar
        P_Kueppers
        Icon for MVP rankMVP
        Feb 22, 2023

        Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server. 

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Feb 22, 2023

    try this irule:

    when CLIENT_ACCEPTED {
        SSL::profile vip_ssl_no_TLSv1
    }

     where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

    I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

    • Cpet's avatar
      Cpet
      Icon for Altocumulus rankAltocumulus
      Feb 22, 2023

      It works!
      Thank you for your support.