Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Dec 07, 2012

How to force client ssl profile to use tls 1.0 only?

We are running version 11.1, is there a way to force client ssl profile to use tls 1.0 only?

Icon for Employee rank

Employee

Dec 07, 2012

So technically speaking, there are three problems with the above string:

1. 11.2 introduces TLSv1_1

2. Disabling TLSv1_2 does not disable other protocols, so a browser could still use TLSv1_1 and SSLv3

3. Unless you have specific requirements for COMPAT ciphers, the COMPAT stack relies on the OpenSSL library and is therefore slower than the NATIVE stack. The DEFAULT string includes NATIVE, so you only need DEFAULT and the list of protocols that you don't want.

For example:


DEFAULT:!TLSv1_2:!TLSv1_1:!SSLv3

Here's some important references:

http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13187.html

Jonathan - March 2026 Featured Member

DevCentral News

featured member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

DevCentral News

2026 F5 DevCentral MVP Announcement

DevCentral News

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5