Forum Discussion
justin_westove1
Mar 03, 2016Nimbostratus
Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1
We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated tha...
Hannes_Rapp_162
Nacreous
I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)
tmm --clientciphers 'DEFAULT:+TLSv1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
1: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
4: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
5: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
6: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
7: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA
12: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA
13: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
14: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
16: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
19: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
21: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
22: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
23: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
24: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
26: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
justin_westove1
Mar 04, 2016Nimbostratus
Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects