For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ken_B_50116's avatar
Ken_B_50116
Icon for Cirrostratus rankCirrostratus
Nov 04, 2015

Question about forcing TLS 1.2 and SOL13171

I found article SOL13171 that says to just use "TLSv1_2" in the Ciphers field, and this will force TLS 1.2. That sounds simple enough, but without also including "NATIVE" in the field, how can the e...
Ken_B_50116's avatar
Ken_B_50116
Icon for Cirrostratus rankCirrostratus
Nov 05, 2015

Here is a variant on my original question: I'm running 11.4.1 HF7. If I wanted to offer TLS 1.2 but not require it, then based on sol13156, most of the cipher suites include TLS 1.2 and a lower version. So at that point the version of TLS used depends on what the client tells the server it can support, and the LTM should use the most secure version?

 

Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Nov 05, 2015
That is correct. The client sends its supported ciphers in the client Hello and the server, in this case the BigIP, will choose the cipher that matches highest in its list.