Forum Discussion

Nimbostratus

Mar 03, 2016

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated tha...

Nacreous

Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e:

DEFAULT:+TLSv1

justin_westove1

Nimbostratus

Mar 04, 2016

So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?

Forum Discussion

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

Recent Discussions

iRule condition - request contains more than 10000 parameters

Citrix XenServer Big-IP Upgrade help

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

BWC iRule

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Enableing TLS1.2

Enable telnet on SSH

Enable SAML Service Provider on F5 Distributed Cloud Application

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

enable WebSocket profile.