Forum Discussion

paulpatriot_129's avatar
paulpatriot_129
Icon for Nimbostratus rankNimbostratus
Jan 20, 2017

Restrict BIGIQ to TLSv1.2 Only

I need to restrict BIGIQ to TLSv1.2 only. How do you go about doing this?  
BIG-IQ
security
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Jan 20, 2017

    Greetings, Just a quick search through this article:

    https://support.f5.com/csp/article/K17007

K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols

    Perhaps try:

    vi /etc/webd/webd.conf

remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add----> ssl_protocols TLSv1.2;

bigstart restart webd
bigstart status webd

    Kevin

David_Stout's avatar
David_Stout
Icon for Nimbostratus rankNimbostratus
Feb 07, 2019

Unfortunately even with the change it is still responding to TLS1.1 connections even though disabled.

[admin@uklprlbiq01:Active:Standalone] ~  cat /etc/webd/webd.conf | grep ssl_protocols
        ssl_protocols TLSv1.2;

Both Qualys and SSLPressure are both reporting this.

SSLPressure - version: 2013-03-17

[+] Target: X.X.X.X
[+] Target ip: X.X.X.X
[+] Loaded 11 SSL2 ciphers
[+] Loaded 220 SSL3/TLS ciphers
[+] Using exhaustive tests by blocks.
[+] Starting tests...
[+] No response for PCT.

[+] Found: 002F - TLS1.1 -  AES128-SHA
[+] Found: 0035 - TLS1.1 -  AES256-SHA
[+] Found: 002F - TLS1.2 -  AES128-SHA
[+] Found: 0035 - TLS1.2 -  AES256-SHA
[+] Found: 003D - TLS1.2 -  AES256-SHA256
[+] Found: 009C - TLS1.2 -  AES128-GCM-SHA256
[+] Found: 009D - TLS1.2 -  AES256-GCM-SHA384