Forum Discussion

richy01908

Nimbostratus

Jan 31, 2023

LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?

After an audit, required to disable TLSv1.1 on our new F5 VM LTM's Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl Then sign in to bash, f...

MVP

Jan 31, 2023

Hi,
So to the vip where this profile is configured can you run nmap?
nmap --script ssl-enum-ciphers -p 443 <my ip or dns>

This should tell you what you have.
I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
So i made a custom cypher rule and group and applied that to the clientssl profile i was using.

I found that nmap command gave me some good output to help fault find the issue.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

upgrade apmclient 7.2.2.0 to 7.2.2.2 on os version 16.1.2.2

TLS server_name extension based routing without clientssl profile

Capture Virtual Server Clientssl Profile & Ciphers Mapping - Bash

limit to number of clientssl profiles

Disabling Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS