How to turn off TLS1.0 – and only allow TLS1.1 and TLS1.2 on LTM 2000s

Question

When we implement the new F5 load balancers and proxies, we have to turn off TLS1.0 – we will only allow TLS1.1 and TLS1.2&nbsp;

hannes_rapp · Answer

Create a new clientssl profile where you specify a custom cipher-string, keep the other settings as default. You can name this as 'profile_clientssl_base'.
If all you want is to disable TLSv1.0, and keep the rest as default, you can use DEFAULT:!TLSv1 as your custom string. When done, this profile can be reused as your Parent Profile for all the other clientssl profiles you create in the future.
If your concern is with the upcoming PCI DSS 3.1 requirements (will be enforced in June 2016), have a look at here https://devcentral.f5.com/questions/pci-cipher-set. You should check out the second answer which is not User Accepted, if you don't want to disable more cipher suites than required.

iaine · Answer

This thread goes into detail on this&nbsp;
If you are unsure about changing the ciphers in the ssl profile then if you look in the Options list in the profile then there is an option No TLSv1 that you can use if you prefer&nbsp;

tatmotiv · Answer

Also, have a look at this document which is totally recommended reading:
https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf&nbsp;

Forum Discussion

How to turn off TLS1.0 – and only allow TLS1.1 and TLS1.2 on LTM 2000s

3 Replies

ICYMI - Steve Wozniak at AppWorld 2026

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Pktclass Blob load failed

Issue with TLS Version 1.1 Deprecated Protocol

F5 Software Downgrade from version 17.x.x to 15.x.x

Connections appear not to use Persistence

HA Failover between two Datacenters

Related Content

Enableing TLS1.2

Redirect TLS1.0 to TLS1.2

Enforce TLS1.0 & TLS1.1 to TLS1.2

Make a copy of all existing clientssl profiles requiring TLS1.2

Ciphers for restricting traffic to TLS1.2

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS