Forum Discussion
AltostratusIssue with TLS Version 1.1 Deprecated Protocol
My vuln scanner is popping hot for an issue on only one of my tenants. The issue describes the following.
" Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1. - TLSv1.1 is enabled and the server supports at least one cipher. "
I've read a few articles on where to disable this ins BIG-IP and from what I can gather I don't see where I have TLS 1.1 enabled on this guest or the handful of services I run on it.
This issue is still showing on my vulnerability report as of this passed Wednesday so its clear I'm missing something. Any suggestions?
2 Replies
- Injeyan_Kostas
Nacreous
Is this reffering to Management GUI?
if yes check thistmsh list sys httpd ssl-protocolif the output is
ssl-protocol "All -SSLv2 -SSLv3 -TLSv1"then change to something like this
tmsh modify /sys httpd ssl-protocol "TLSv1.2" tmsh save sys config 
PeteWhiteEmployee
There are two places where the BIG-IP does TLS:
- Management plane ie the BIG-IP GUI
- Userplane ie TLS for virtual servers etc.
As Injeyan_Kostas has said, you can do this simply for the menegement plane in the way he shows.
However, for userplane you need to update the clientSSL profile. It is generally recommended that you don't change the underlying client-ssl profile, as this is updated during software upgrades. However, you should create a standard profile which uses client-ssl as the parent and is in turn the parent for all of your client-ssl profiles. In this, you can change the TLS protocol and disable TLSv1 ( or set ciphers or whatever ).
The issue with changing this to deny TLSv1.1 is that there may be some users which use browsers that use TLSv1.1 and may then have issues, so you should do some investigation and bring this in carefully but ultimately if you want to increase security then you need to do it.
