Forum Discussion

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated tha...
application delivery
BIG-IP
clientssl
LTM
security
ssl
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 04, 2016

I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

 tmm --clientciphers 'DEFAULT:+TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
  • justin_westove1's avatar
    justin_westove1
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2016
    Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.