Forum Discussion
luke_xu_56087
Nimbostratus
NimbostratusHow to force client ssl profile to use tls 1.0 only?
We are running version 11.1, is there a way to force client ssl profile to use tls 1.0 only?
5 Replies
Elias_O_16228Hi Luke,
You will have to modify the cipher. Go to Local Traffic>Profile>SSL>client> Cipher: The cipher is probably on default. Check the square box on the right corner, and modify delet the "default" and change to read: TLSv1.0 (you are done). Click update.
I have played with this sometime. We are currently only accepting TLSv1.2, which is similar in configuration.
Regards
Elias- luke_xu_56087Hi Elias,
Thanks a lot for the reply, support also supplied this answer: DEFAULT:COMPAT:!TLSv1_2, that is to disable tlsv1.2.
Regards, - Kevin_Stewart
Employee
So technically speaking, there are three problems with the above string:
1. 11.2 introduces TLSv1_1
2. Disabling TLSv1_2 does not disable other protocols, so a browser could still use TLSv1_1 and SSLv3
3. Unless you have specific requirements for COMPAT ciphers, the COMPAT stack relies on the OpenSSL library and is therefore slower than the NATIVE stack. The DEFAULT string includes NATIVE, so you only need DEFAULT and the list of protocols that you don't want.
For example:DEFAULT:!TLSv1_2:!TLSv1_1:!SSLv3
Here's some important references:
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13187.html - Elias_O_16228but your post said TLS1.0 ONLY. " is there a way to force client ssl profile to use tls 1.0 only"
If you want to include other protocols in the Default suite and disable the ones you don't want. - luke_xu_56087Thanks a bunch...
