Issue on disabling TLS 1.0 / TLS 1.1

Question

Hello,&nbsp;
We have a problem with an LTM (Local Trafic Manager) when we turn off TLS 1.0 and 1.1. Indeed when protocols are disabled in SSL profiles, the F5 does not return any error to the client. We would like to disable these protocols and returning a html code to our clients when he goes on the website.&nbsp;
We have prepared an irule that looks like this:&nbsp;
when HTTP_REQUEST {&nbsp;
if {[SSL :: cipher version]! = "TLSv1.2"}&nbsp;
    {HTTP :: respond 503 content {&nbsp;
        &nbsp;
        
            my html&nbsp;
        &nbsp;
            }&nbsp;
    }&nbsp;
This irule works if we don’t disable both protocols directly in the SSL profile. On the other hand, when this is the case, the F5 does not even read the irule.
I think it is the trigger condition of the irule that is wrong, when the handshake fail, there is no HTTP request.&nbsp;
We are looking for a solution to setup an irule that would return a html code or that makes a redirection to another url in case of SSL handshake failure.&nbsp;
Someone can help me ?&nbsp;

lee_sutcliffe · Answer

The problem you have is that SSL negotiation happens prior to HTTP_REQUEST. 
So if you have disabled TLS 1.0 and the client only uses TLS 1.0, the session will never be established, it will be terminated before you reach the HTTP request event... hence being unable to send an HTTP::response command. &nbsp;
It is by design that you do not receive an error in this instance. 
You would see in the SSL handshake that the version is not supported but this is not obvious to your users unless they are capturing the request using Wireshark for example. &nbsp;
What is your actual requirement? &nbsp;

surgeon · Answer

If you use SSL, browser expect to finish ssl handshake 1st. You will not be able to receive html code if ssl handshake fails. You need to get ssl handshake established and only then you can send and receive html.&nbsp;
This is just TCP/IP stack rules. If lower level protocols fails, upper level will not work.
What you can do, you can wait until ssl handshake established and then terminate it if ssl version is lower then tls 1.2. You can implement it via iRule&nbsp;

mike_62127 · Answer

this iRule works well for what you are asking.
    if { [SSL::cipher version] ne "TLSv1.2" } {
    HTTP::respond 200 content "Your browser must support TLSv1.2"

mike_62127 · Answer

I should have added that you need to keep TLSv 1.0 &amp; 1.1 enabled in the SSL Profile.
this will terminate any non TLSv 1.2 connections at the LTM and send the custom error message to the client.&nbsp;

surgeon · Answer

But be aware that this solution requires tls1.0 and tls1.1 to be enabled and may impact your rank on ssllabs. You need to decide which option to use.&nbsp;
See Lee Sutcliffe's replies earlier&nbsp;

Forum Discussion

Issue on disabling TLS 1.0 / TLS 1.1

Recent Discussions

Can i apply ddos profile on virtual server using port range

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

ASM Export JSON - size Limit ?

SNI Sites not taking correct certificate.

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

Related Content

Load Balancing TCP TLS Encrypted Syslog Messages

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Enable TLS 1.3 and Disable DH group

Decrypting TLS traffic on BIG-IP

TLS Fingerprinting - a method for identifying a TLS client without decrypting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS