For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Dec 07, 2015

Is there a wasy to force TLS version?

I have a group of servers that will ont negotiate SSL with LTM, when client goes through VS. Client can connect directly to the server OK, and https monitors have no problem. When I ssldump going d...
application delivery
BIG-IP
LTM
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Dec 08, 2015

If you change your SSL serverside profile cipher conf to 

TLSv1_2
, you can make your F5, acting as a client only establish SSL handshake if your application server supports at least one of the TLSv1.2 cipher suites below. If server does not support TLSv1.2, F5 will tear down serverside TCP connection. Despite explicit TLSv1.2, the list has some weak suites in it, you might want to adjust it a little further.

 tmm --serverciphers "TLSv1_2"
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
 7:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA
 8:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
10:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES     SHA     DHE/DSS
12:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM  SHA384  ADH
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES     SHA     ECDH_RSA
18: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES     SHA     ECDH_ECDSA
19:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
20:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
21:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
22: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
23: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
24:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.2  Native  DES     SHA     EDH/RSA
25: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
26: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
27:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
28: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
29: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
30: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
31: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
32: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
33: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
34:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  DHE/DSS
35:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA
36:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  EDH/RSA
37:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  DHE/DSS
38:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
39:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES     SHA     DHE/DSS
40:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM  SHA256  ADH
41: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM  SHA256  ECDH_RSA
42: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM  SHA256  ECDH_ECDSA
43: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES     SHA256  ECDH_RSA
44: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES     SHA256  ECDH_ECDSA
45: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES     SHA     ECDH_RSA
46: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES     SHA     ECDH_ECDSA
47:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
48:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
49:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
50:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
51:     4  RC4-MD5                          128  TLS1.2  Native  RC4     MD5     RSA
52:    21  DHE-RSA-DES-CBC-SHA               64  TLS1.2  Native  DES     SHA     EDH/RSA
OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Dec 08, 2015
Thank you Hannes Rapp. I tried that, and does not help. It is the server (Windows 2008) that is sending the reset. I wish I knew where to view the SSL logs in Windows - it seems they should give some reason for the immediate reset.