For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tyson_James's avatar
Tyson_James
Icon for Cirrus rankCirrus
Oct 19, 2021

TLS Supported versions...

Our Security Team has requested that we enable support for TLS 1.2 and TLS 1.3 and disable support for TLS 1.0. I am looking at our client ssl profile and it currently has the following as Enabled O...
BIG-IP
LTM
security
Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Oct 19, 2021

For the enabled options, you can do:

 

Don't insert empty fragments, No TLSv1, No TLSv1.1, No SSLv2 and No SSLv3 (if that one's listed).

 

Also, if No TLSv1.3 is there, then remove it. Once you're finished, you can check the site cert (if it's accessible from off-site) via ssllabs.com - you can run a check/report there which will give you a score.

 

Note that your cert security is not just enabled/disabled TLS, SSL, etc. The ciphers you allow/disallow matter as well. You can try "DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH" (the @STRENGTH will begin cipher negotiation with the strongest and proceed to the weakest). The downside can be backend servers/apps that don't play well with newer ciphers so, like they say, "your mileage may vary."

 

This page has some useful info regarding SSL/TLS Best Practices:

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

 

Good Luck!

Alan

Tyson_James's avatar
Tyson_James
Icon for Cirrus rankCirrus
Oct 19, 2021

Thank you. I will try this out.