We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated that they're sending a list of ciphers that they support when they initially connect (TLSv1, 1.1, and 1.2). Even though they're supporting 1.2 and we support 1.2 their connection is still using 1.0. Looking at the tmm clientciphers DEFAULT command i see that tls1.0 is ordered above 1.1 and 1.2. Is there a way to reorder this or priortize 1.2 and 1.1 over 1.0?

Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred). I.e: DEFAULT:+TLSv1

Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.

So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

Hannes_Rapp_162
Nacreous
Mar 04, 2016
Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e:
DEFAULT:+TLSv1
- justin_westove1
  Nimbostratus
  Mar 04, 2016
  Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.
- justin_westove1
  Nimbostratus
  Mar 04, 2016
  So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?
Hannes_Rapp
Nimbostratus
Mar 04, 2016
Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e:
DEFAULT:+TLSv1
- justin_westove1
  Nimbostratus
  Mar 04, 2016
  Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.
- justin_westove1
  Nimbostratus
  Mar 04, 2016
  So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?

Hannes_Rapp

Nimbostratus

Mar 04, 2016

I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

 tmm --clientciphers 'DEFAULT:+TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA

justin_westove1
Nimbostratus
Mar 04, 2016
Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.

Hannes_Rapp_162

Nacreous

Mar 04, 2016

 tmm --clientciphers 'DEFAULT:+TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA

justin_westove1
Nimbostratus
Mar 04, 2016
Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.

Forum Discussion

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

Recent Discussions

F5 Health Monitor Receive String as JSON

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Enableing TLS1.2

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Enable SAML Service Provider on F5 Distributed Cloud Application

Enabling F5 Distributed Cloud Fraud and Risk Solutions with ForgeRock Connector

Enable telnet on SSH

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS