For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_K's avatar
Tom_K
Icon for Nimbostratus rankNimbostratus
Jan 16, 2020

TLS 1.3 on Bigip 14.1.2.3

I have enabled TLS 1.3 on BigIp version 14.1.2.3 and when I run the test for the site at ssllabs the best grade I can get is a "B" with this message. "This server supports weak Diffie-Hellman (DH) ...
application delivery
BIG-IQ
LTM
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jan 16, 2020

I don't know exactly what change you did to use TLS1.3, but I guess you changed the cipher to just use TLS1.3 as that is a common mistake.

That will basically enable all ciphers that TLS1.3 supports, even the less secure ones that are not enabled in the default cipher.

TLS1.3 is fully supported in the version you are using, but is disabled by default:

https://support.f5.com/csp/article/K10251520

I would start the tests changing the cipher to DEAFULT, and enable TLS1.3 using the options list.

If does not work, see the option list, as there are also things for DH.

Also, try to get more information about which cipher the test is complaining about.

If you run the following command in your F5, it will show the list of cipher for the cipher string you are using:

tmm --client "DEFAULT"

I used default, but you could use any other cipher string.

Anyway, the version defaults are in this solution:

https://support.f5.com/csp/article/K54125331

Also, is normally important to add some security HTTP headers to the sites.

That normally blocks you to get a A+, so I can assume you already have the headers.