Forum Discussion

mikeshermanit_2's avatar
mikeshermanit_2
Icon for Nimbostratus rankNimbostratus
Sep 21, 2016

TLS SSL Profile question.

I have an ssl Profile that is currently linked to a Virtual Server in our production environment. Under the advanced configuration>Ciphers I see "DEFAULT:!TLSv1".

 

Does this mean that it's using TLS 1.0 only? If I wanted to change it to use TLS 1.2 how would I do so?

 

BIG-IP
LTM
security

4 Replies

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 22, 2016

    Hi Mike,

     

    As Kang has said the ! Negates the use of that Cipher Suite in the profile (In this case TLS 1.0).

     

    IF you wanted to use TLS1.2 ONLY, there are option inside the SSL profile to do that.

     

    Note: Different versions of F5 Code include different DEFAULT ciphers. I.e. Prior to 11.5, SSLv3 was included in DEFAULT list, and no-one wants that....

     

    • mikeshermanit_2's avatar
      mikeshermanit_2
      Icon for Nimbostratus rankNimbostratus
      Sep 22, 2016

      Thanks for your support so far.

       

      Since reading your recommendation I’ve edited my ssl profile cipher to the following : DEFAULT:!SSLV3:!TLSV1:!TLSV1_1

       

      I’m still getting an error in the log that says “The request was aborted: Could not create SSL/TLS secure channel”

       

      Maybe I’m barking up the wrong tree all together. The basic reason for my changes:

       

      “Paypal is in the process of upgrading the SSL certificates used to secure their websites and API endpoints. These new certificates will be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Cert. They said we will need to ensure that our environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Cert. “ (paypal)

       

      1)I checked to make sure that we have the VeriSign G5 Root cert on the F5 and I do see it under “ssl certificate list” (not sure if that’s where it should go?) 2)I think our environment supports the SHA-256 signing algorithm but I’m not exactly sure where to check that. The reason I think it does is because the SSL profile that is currently assigned to the Virtual Server for which our website is tied to, is using an SSL cert from GoDaddy that is using sha256. 3)The reason I set the ssl profile cipher to: DEFAULT:!SSLV3:!TLSV1:!TLSV1_1 is because paypal’s upgrade guide is saying that in order to test using the paypal sandbox endpoints we had to support TLS 1.2.

       

      Our SSL offloading is happening on the F5 ( Clients to F5 is secure and from the F5 to the webservers is just plain http) which I read is a pretty normal implantation. Right now everything is working with paypal as the F5 is configured but my tests are showing that it won’t work after the deadline of the 30th when they switch to new endpoints. They give us test endpoints (sandbox endpoints) to use and they don’t work.

       

      Any suggestions would be most helpful.

       

    • IainThomson85_1's avatar
      IainThomson85_1
      Icon for Cumulonimbus rankCumulonimbus
      Sep 26, 2016

      Hi Mike,

       

      Ideally you want to get a TCPDUMP of the Handshake, analyse in Wireshark as to the exact failure reason.

       

      See what Protocols/Ciphers the server offers, and see if the client can support those.