Hi Team, We are in a process of disabling all SSL plus TLS1.0 version, and we are running 10.2.4 version. Kindly confirm whether by saying No TLSv1: Will this Disable only TLS1.0 while allow TLS1.1/TLS1.2/TLS1.3 ? Thanks and Regards PZ

Hi, you can use in ssl profile !TLSv1 to disable TLS 1.0

So, you are confirming that by saying "No TLSv1" into 10.2.4 VERSION, it willstill allow TLS1.1/TLS1.2/TLS1.3 but disable only TLS1.0 right ? Thanks and Regards Parveez

You can check this by using: tmm --clientciphers '!TLSv1'

On an 11.6 image, the above lists 0 ciphers.Attempting to add it to a client profile yields the following: tmsh modify ltm profile client-ssl mySecureProfile ciphers "-TLSv1" 01070311:3: Ciphers list '-TLSv1' for profile /Common/mySecureProfile denies all clients Is there no method to limit TLS support to only TLSv1_1 or TLSv1_2?

Yes, No TLSv1 will still allow TLSv1.2. According to https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11444.html TLSv1.1 is not included in 10.2.4. As for the cipher lists you could use DEFAULT:!SSLv3:!TLSv1. This will disable both SSLv3 and TLSv1 while still allowing TLSv1.2(TLSv1.1 is availabel in 11.x) https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html Default cipher lists https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

No TLSv1: Will this Disable only TLS1.0 while allow TLS1.1/TLS1.2/TLS1.3 ?

13 Replies

Vitaliy_Savrans
Nacreous
Feb 04, 2015
Hi, you can use in ssl profile !TLSv1 to disable TLS 1.0
Parveez_70209
Nimbostratus
Feb 04, 2015
So, you are confirming that by saying "No TLSv1" into 10.2.4 VERSION, it willstill allow TLS1.1/TLS1.2/TLS1.3 but disable only TLS1.0 right ?

Thanks and Regards Parveez
Vitaliy_Savrans
Nacreous
Feb 04, 2015
You can check this by using:

tmm --clientciphers '!TLSv1'
- Ken_McGarrahan_
  Nimbostratus
  Mar 24, 2015
  On an 11.6 image, the above lists 0 ciphers.Attempting to add it to a client profile yields the following: tmsh modify ltm profile client-ssl mySecureProfile ciphers "-TLSv1" 01070311:3: Ciphers list '-TLSv1' for profile /Common/mySecureProfile denies all clients Is there no method to limit TLS support to only TLSv1_1 or TLSv1_2?
- brice
  Nimbostratus
  Apr 02, 2015
  You have to give it ~something~ to start with. The above is saying "you can use no ciphers, and also disable TLSv1" Try tmm --clientciphers 'DEFAULT:!TLSv1' That should yield: tmm --clientciphers 'DEFAULT:!TLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 5: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 7: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 11: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 12: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 13: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 14: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 16: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 19: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA But I would get rid of RC4 as well. So tmm --clientciphers 'DEFAULT:!SSLv3:!TLSv1:!RC4' (note I'm on 11.5.1, so my default will be different than yours). Look at SOL13163 mentioned above for version default differences.
- brice
  Nimbostratus
  Apr 02, 2015
  note: the string within the ' (single quotes) would go into your client ssl profile
Brad_Parker
Cirrus
Mar 24, 2015
Yes, No TLSv1 will still allow TLSv1.2. According to https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11444.html TLSv1.1 is not included in 10.2.4.

As for the cipher lists you could use
DEFAULT:!SSLv3:!TLSv1
. This will disable both SSLv3 and TLSv1 while still allowing TLSv1.2(TLSv1.1 is availabel in 11.x)

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

Default cipher lists https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
- Ken_McGarrahan_
  Nimbostratus
  Mar 24, 2015
  A-ha! Order is the key. Add the ciphers you'll allow at the start of the list, and remove the ones you don't through specification of "-" options, as you've noted above. For example, to allow only AES256-SHA and AES128-SHA over TLSv1.1 or TLSv1.2 or DTLSv1 by removing SSLv3 and TLSv1.0: AES128-SHA:AES256-SHA:-SSLv3:-TLSv1
Brad_Parker_139
Nacreous
Mar 24, 2015
Yes, No TLSv1 will still allow TLSv1.2. According to https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11444.html TLSv1.1 is not included in 10.2.4.

As for the cipher lists you could use
DEFAULT:!SSLv3:!TLSv1
. This will disable both SSLv3 and TLSv1 while still allowing TLSv1.2(TLSv1.1 is availabel in 11.x)

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

Default cipher lists https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
- Ken_McGarrahan_
  Nimbostratus
  Mar 24, 2015
  A-ha! Order is the key. Add the ciphers you'll allow at the start of the list, and remove the ones you don't through specification of "-" options, as you've noted above. For example, to allow only AES256-SHA and AES128-SHA over TLSv1.1 or TLSv1.2 or DTLSv1 by removing SSLv3 and TLSv1.0: AES128-SHA:AES256-SHA:-SSLv3:-TLSv1