Forum Discussion

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated tha...
application delivery
BIG-IP
clientssl
LTM
security
ssl
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous

Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e: 

DEFAULT:+TLSv1

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 04, 2016
So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?