F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Tom_K's avatar
Tom_K
Icon for Nimbostratus rankNimbostratus
Jan 16, 2020

TLS 1.3 on Bigip 14.1.2.3

I have enabled TLS 1.3 on BigIp version 14.1.2.3 and when I run the test for the site at ssllabs the best grade I can get is a "B" with this message. "This server supports weak Diffie-Hellman (DH) ...
application delivery
BIG-IQ
LTM
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jan 16, 2020

I don't know exactly what change you did to use TLS1.3, but I guess you changed the cipher to just use TLS1.3 as that is a common mistake.

That will basically enable all ciphers that TLS1.3 supports, even the less secure ones that are not enabled in the default cipher.

TLS1.3 is fully supported in the version you are using, but is disabled by default:

https://support.f5.com/csp/article/K10251520

I would start the tests changing the cipher to DEAFULT, and enable TLS1.3 using the options list.

If does not work, see the option list, as there are also things for DH.

Also, try to get more information about which cipher the test is complaining about.

If you run the following command in your F5, it will show the list of cipher for the cipher string you are using:

tmm --client "DEFAULT"

I used default, but you could use any other cipher string.

Anyway, the version defaults are in this solution:

https://support.f5.com/csp/article/K54125331

Also, is normally important to add some security HTTP headers to the sites.

That normally blocks you to get a A+, so I can assume you already have the headers.