Forum Discussion
HTTPS calls supporting TLS V 1.2
- Oct 18, 2016
I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.
- What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the
Cipher String setting. https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.htmlDEFAULT
- What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the
I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.
- What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the
Cipher String setting. https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.htmlDEFAULT
- Manikanta_26608Oct 18, 2016Nimbostratus
Thanks Hannes, It answers my question. My BigIP version is 11.5.3.So every call reaching Bigip should not support TLS 1.2. For the calls which supports TLS lower versions, lower ciphers will get picked up? How exactly this cipher selection works for each request.
- Hannes_Rapp_162Oct 18, 2016Nacreous
That's correct. If you have cURL calls which target the site using TLS1.0, these should work just fine. If your website is publicly accessible, you may validate your supported SSL/TLS versions using this SSL checker: https://www.ssllabs.com/ssltest/
- Manikanta_26608Oct 18, 2016Nimbostratus
That helps. The handshake simulations, protocols are clearly saying that my BigIP supports all TLS versions for all types of clients. I think it will be good for my requirement. Thank you.
- Manikanta_26608Nov 02, 2016Nimbostratus
Hi,
Currently we are using the default list of ciphers in SSL profile for 11.5.3 version. When a call comes and hit the VIP can you please tell me how it will prioritize the ciphers and select one cipher to process the request. can we have a list in prioritized format in the way they will be selected?
Thank you.
- Hannes_Rapp_162Nov 03, 2016Nacreous
@Manikanta -> https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15194.html
Copy/Paste to BASH shell.
tmm --clientciphers 'DEFAULT' lists out all enabled cipher suites in the order of preference of your BigIP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com