Forum Discussion
LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?
After an audit, required to disable TLSv1.1 on our new F5 VM LTM's
Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl
Then sign in to bash, following command:
#openssl s_client - connect n.n.n.n:443 -tls1_1
Command displays the Server certificate
I then tried #openssl s_client - connect n.n.n.n:443 -tls1 (as this option available)
- No peer certificates available / No client certifcate CA names sent / SSL handshake has read 0 bytes etc..
richy01908 is it possible for you to share the configuration of the SSL profile with us? Purely based on the response it might be a case that the SSL cipher suite that is associated to that SSL profile has TLS1.1 ciphers in it. You might have to create a custom SSL cipher suite string to enter that doesn't include TLS1.1.
you should not use that default clientssl profile.
You should have a custom ssl profile for each vip.
Hi,
So to the vip where this profile is configured can you run nmap?
nmap --script ssl-enum-ciphers -p 443 <my ip or dns>
This should tell you what you have.
I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
So i made a custom cypher rule and group and applied that to the clientssl profile i was using.
I found that nmap command gave me some good output to help fault find the issue.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com