For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

paulpatriot_129's avatar
paulpatriot_129
Icon for Nimbostratus rankNimbostratus
Jan 20, 2017
Solved

Restrict BIGIQ to TLSv1.2 Only

I need to restrict BIGIQ to TLSv1.2 only. How do you go about doing this?  
BIG-IQ
security
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Jan 20, 2017

    Greetings, Just a quick search through this article:

    https://support.f5.com/csp/article/K17007

K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols

    Perhaps try:

    vi /etc/webd/webd.conf

remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add----> ssl_protocols TLSv1.2;

bigstart restart webd
bigstart status webd

    Kevin

Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Jan 20, 2017

Greetings, Just a quick search through this article:

https://support.f5.com/csp/article/K17007

K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols

Perhaps try:

vi /etc/webd/webd.conf

remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add----> ssl_protocols TLSv1.2;

bigstart restart webd
bigstart status webd

Kevin

  • paulpatriot_129's avatar
    paulpatriot_129
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2017

    Thanks I updated the following ssl protocols and the cipher and restarted the webd service.

     

    ssl_protocols TLSv1.2;

     

    ssl_ciphers DHE-RSA-AES128-GCM-SHA256;

     

    restart /sys service webd

     

    That fixed the issue

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Jan 23, 2017

    Awesome, thanks for the confirmation! The more we know...

     

    Kevin