Hello All we have an some Terminal that needs to connect to one of our Front End Boxes, it is going to be using SSL, there appears to be a limitation for the Termnal to be able to connect using TLS 1.1 is this supported on the Big ip ltm either 3900 or 1600 i looked through the Profile ssl client i did not see anything like about ssl 1.1 ...

TLS v1.1 is definitely supported on all LTM platforms and software versions. You can capture a tcpdump of the issue and then either use Wireshark with the SSL private key imported or ssldump to decrypt the trace and diagnose the issue. If you need any help capturing or analyzing the traces, you can search on AskF5 for tcpdump and ssldump, or open a case with F5 Support. Aaron

Hoolio - I see there are options in the SSL profiles for disabling SSLv2, v3, TLSv1, etc...any idea why there isn't one for disabling TLSv1.1? I can't think of a reason you'd want to but I think it not being listed as an option probably contributes to confusion about it being usable.

Sorry, I was being a numpty and was thinking of TLSv1--not TLSv1.1. I couldn't find any docs on support for TLSv1.1 and none of the clients (openssl, curl, etc) I can find support it to try testing. I'd hazard a guess that LTM might not support v1.1. You might try opening a support case with F5 to check on this. If you do, can you reply back here with what you find? Thanks, Aaron

Thanks guys i was curious why there wasn't any reference to TLS 1.1, so by default if TLS 1.1 is presented to the LTM it will negotiate without the need for any Irule trick... ? ..

Awesome another good reason to migrate off the CSS 1100 We have, i have not set the environment on the LTM yet i am just in the process of selling the idea to management.. thanks again ..

is TLS Version 1.1 Supported on Big IP

hoolio
Cirrostratus
Jun 17, 2010
TLS v1.1 is definitely supported on all LTM platforms and software versions. You can capture a tcpdump of the issue and then either use Wireshark with the SSL private key imported or ssldump to decrypt the trace and diagnose the issue. If you need any help capturing or analyzing the traces, you can search on AskF5 for tcpdump and ssldump, or open a case with F5 Support.

Aaron
Chris_Miller
Altostratus
Jun 17, 2010
Hoolio - I see there are options in the SSL profiles for disabling SSLv2, v3, TLSv1, etc...any idea why there isn't one for disabling TLSv1.1? I can't think of a reason you'd want to but I think it not being listed as an option probably contributes to confusion about it being usable.
hoolio
Cirrostratus
Jun 17, 2010
Sorry, I was being a numpty and was thinking of TLSv1--not TLSv1.1. I couldn't find any docs on support for TLSv1.1 and none of the clients (openssl, curl, etc) I can find support it to try testing. I'd hazard a guess that LTM might not support v1.1. You might try opening a support case with F5 to check on this. If you do, can you reply back here with what you find?

Thanks, Aaron
nassahla_65866
Nimbostratus
Jun 17, 2010
Thanks guys i was curious why there wasn't any reference to TLS 1.1, so by default if TLS 1.1 is presented to the LTM it will negotiate without the need for any Irule trick... ? ..
nassahla_65866
Nimbostratus
Jun 17, 2010
Awesome another good reason to migrate off the CSS 1100 We have, i have not set the environment on the LTM yet i am just in the process of selling the idea to management.. thanks again ..
JRahm
Admin
Jun 17, 2010
TLS versions 1.1 & 1.2 are not yet supported.
hoolio
Cirrostratus
Jun 18, 2010
Thanks for confirming Jason. nassahla, you could open a case with F5 Support to find out more on F5's plans to support TLSv1.1 and TLSv1.2 (once the spec is complete).

Aaron
nassahla_65866
Nimbostratus
Jun 21, 2010
I have begun the process i contacted our account rep, i will report back with the outcome... thanks...
Mack_Hanson_107
Nimbostratus
Dec 23, 2011
Is there any news regarding TLS 1.1 and 1.2 support? Is it already released? If so, please point me at an article describing how to deny TLS 1.0 and require TLS 1.1.
nitass
Employee
Dec 23, 2011
TLS 1.2 has been supported since10.2.3.

Release Note: BIG-IP LTM and TMOS version 10.2.3

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

for TLS 1.1, initially we had no plan in supporting it. anyway, i am not sure about right now (after having BEAST).