Forum Discussion

Ghislain_Pellet's avatar
Ghislain_Pellet
Icon for Nimbostratus rankNimbostratus
May 17, 2018

How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x

Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 cli...
BIG-IP
ciphers
ciphersuites
LTM
security
ssl profiles
tls
tls protocols
StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
May 18, 2018

Hi Ghislain,

if it´s generally just about ordering by protocol preference, the following cipher string will do it: 
DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1
.

Please check via command line: 

tmm --clientciphers 'DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1'

The "

+
" prefix lowers the preference of the specifier (applies to handshake-methods, bulk-crypto and message-digest algorithms as well).

Back to your specific case it would be the following: 

DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1

Verfication: 

tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1' 

       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
 1:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
 2:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
 3:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
 4:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
 5:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA

In a previous post ("TMOS SSL TLS Cipher Cheat Sheet") I tried to summarize the different approaches for cipher specification including aliases and keywords.

Cheers, Stephan