Forum Discussion

Nimbostratus

Feb 04, 2015

No TLSv1: Will this Disable only TLS1.0 while allow TLS1.1/TLS1.2/TLS1.3 ?

Hi Team, We are in a process of disabling all SSL plus TLS1.0 version, and we are running 10.2.4 version. Kindly confirm whether by saying No TLSv1: Will this Disable only TLS1.0 while allo...

Brad_Parker

Cirrus

Mar 24, 2015

Yes, No TLSv1 will still allow TLSv1.2. According to https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11444.html TLSv1.1 is not included in 10.2.4.

As for the cipher lists you could use

DEFAULT:!SSLv3:!TLSv1

. This will disable both SSLv3 and TLSv1 while still allowing TLSv1.2(TLSv1.1 is availabel in 11.x)

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

Default cipher lists https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

Ken_McGarrahan_

Nimbostratus

Mar 24, 2015

A-ha! Order is the key. Add the ciphers you'll allow at the start of the list, and remove the ones you don't through specification of "-" options, as you've noted above. For example, to allow only AES256-SHA and AES128-SHA over TLSv1.1 or TLSv1.2 or DTLSv1 by removing SSLv3 and TLSv1.0: AES128-SHA:AES256-SHA:-SSLv3:-TLSv1

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)