Forum Discussion
Restrict BIGIQ to TLSv1.2 Only
I need to restrict BIGIQ to TLSv1.2 only. How do you go about doing this?
Greetings, Just a quick search through this article:
https://support.f5.com/csp/article/K17007 K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols
Perhaps try:
vi /etc/webd/webd.conf remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; add----> ssl_protocols TLSv1.2; bigstart restart webd bigstart status webd
Kevin
- Kevin_K_51432Historic F5 Account
Greetings, Just a quick search through this article:
https://support.f5.com/csp/article/K17007 K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols
Perhaps try:
vi /etc/webd/webd.conf remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; add----> ssl_protocols TLSv1.2; bigstart restart webd bigstart status webd
Kevin
- paulpatriot_129Nimbostratus
Thanks I updated the following ssl protocols and the cipher and restarted the webd service.
ssl_protocols TLSv1.2;
ssl_ciphers DHE-RSA-AES128-GCM-SHA256;
restart /sys service webd
That fixed the issue
- Kevin_K_51432Historic F5 Account
Awesome, thanks for the confirmation! The more we know...
Kevin
- David_StoutNimbostratus
Unfortunately even with the change it is still responding to TLS1.1 connections even though disabled.
[admin@uklprlbiq01:Active:Standalone] ~ cat /etc/webd/webd.conf | grep ssl_protocols ssl_protocols TLSv1.2;
Both Qualys and SSLPressure are both reporting this.
SSLPressure - version: 2013-03-17 [+] Target: X.X.X.X [+] Target ip: X.X.X.X [+] Loaded 11 SSL2 ciphers [+] Loaded 220 SSL3/TLS ciphers [+] Using exhaustive tests by blocks. [+] Starting tests... [+] No response for PCT. [+] Found: 002F - TLS1.1 - AES128-SHA [+] Found: 0035 - TLS1.1 - AES256-SHA [+] Found: 002F - TLS1.2 - AES128-SHA [+] Found: 0035 - TLS1.2 - AES256-SHA [+] Found: 003D - TLS1.2 - AES256-SHA256 [+] Found: 009C - TLS1.2 - AES128-GCM-SHA256 [+] Found: 009D - TLS1.2 - AES256-GCM-SHA384
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com