Forgive me but I'm pretty green when it comes to these F5's. We have an F5 LTM that is load balancing our internal and external email. We just had a pen test done and they saw TLS1 and 1.1 open from the external IPs. Pretty simple setup, external email hits our mail URL, it gets NAT'd to internal IP of the F5 virtual server then that goes to our pools. Virtual server is using client ssl profile and I'm assuming that is where this TLS is showing up.What I need to know is how to find (cli command as we have many virtual servers) what virtual servers are using this specific SSL Profile so I can make sure the external is the only one before I make any changes to the profile.The current SSL profile option is set with just No_TLSv1.3, wouldn't that mean it's using everything else BUT 1.3? I would want to put v1 and v1.1 in there instead right? Thanks for the help!

j_hardin80 If you are in tmsh you should be able to run the following command to find them relatively quick. list ltm virtual | grep -E "virtual |<ssl_client_profile_name>" This will give you multiple lines but the ones you're interested in are the ones with the virtual server name immediately followed by the ssl client profile name that you're interested in. In the command above make sure to replace the entire string "<ssl_client_profile_name>" with the ssl client profile name in question.

HI,Not sure it makes much difference but is this HTTPS or SMTP traffic? (only interested for possible context later)now, what you want to look at is your client ssl profile. Inside there is selection's for "no tls" or "no tls1.1" etc etc. So by selecting the ones you don't want it will turn them off. The way i did it, was to use a cypher profile, and link that to your ssl profile. This meant i could have granual control not just of the encyrption used (TLS) but also the hashes which also came up on a pen test for me!Have a look if that answers your question, if not let me know and i can send you some links or screen shots.

Sorry, yes this is HTTPS traffic.I'm not so sure we are worried about granularity at this point, so you are saying I should remove the "NO_TLSv1.3" and add the NO_TLSv1 and NO_TLSv1.1 in the options on the client ssl profile?But how can find out if there are any other virtual servers using that same clent ssl profile before I make any changes?Thank you!

Ok lets start from a test. If you can find a device that runs nmap that can get to the external interface try running this,nmap --script ssl-enum-ciphers -p 443 <Your domain name here.com> This should show you what you are dealing with and a method to prove that its worked! Then under your ssl profile you need to chnage the config from "Basic" to "Advanced"Then you'll see the Options List Here is mine, it appears its flow down so NO DTLSv1.2 turns off everything below that and leaves TLSv1.3.I don't know a location to see where a profile is used in a virtual server, but if you get a ucs file or the internal conf files out using the cli you could do a quick word search in the config maybe? But you can go into the certificates and see which profiles they are used in which might get you "close" to the same place. Does that help any more?

If that is the case then I'm not sure where the TLS is showing up as being open, in our profile we have NO_TLSv1.3 so that should cover 1 and 1.1.Does it use the Options if it's greyed out or do I need to actually select the checkbox for the profile to "use" it?

TLS1 | DevCentral

Paulius
MVP
Oct 03, 2023
j_hardin80 If you are in tmsh you should be able to run the following command to find them relatively quick.

list ltm virtual | grep -E "virtual |<ssl_client_profile_name>"

This will give you multiple lines but the ones you're interested in are the ones with the virtual server name immediately followed by the ssl client profile name that you're interested in. In the command above make sure to replace the entire string "<ssl_client_profile_name>" with the ssl client profile name in question.
- PSFletchTheTek
  MVP
  Oct 03, 2023
  Now that's useful thanks Paulius
- j_hardin80
  Nimbostratus
  Oct 03, 2023
  Thank you but I'm not sure it's working for me. No matter what SSL Profile name I use, it gives me the same listing of virtual servers that I know aren't using that profile.
  - Paulius
    MVP
    Oct 04, 2023
    j_hardin80 That is correct, it will output all virtual servers followed by the SSL profile. It would look something like this.
    
    ltm virtual VS_1.1.1.1_443
    ltm virtual VS_2.2.2.2_443
    CLIENTSSL-myprofile
    ltm virtual VS_3.3.3.3_443
    
    Notice how you have 2 VS back to back and then an indented SSL profile name. You will have to go through the text that shows up in the terminal and grab all VS names that are immediately followed by the SSL profile you are looking for. I don't know of a better way of searching this without doing some complicated regex search.
PSFletchTheTek
MVP
Oct 03, 2023
HI,
Not sure it makes much difference but is this HTTPS or SMTP traffic? (only interested for possible context later)
now, what you want to look at is your client ssl profile.

Inside there is selection's for "no tls" or "no tls1.1" etc etc. So by selecting the ones you don't want it will turn them off.

The way i did it, was to use a cypher profile, and link that to your ssl profile. This meant i could have granual control not just of the encyrption used (TLS) but also the hashes which also came up on a pen test for me!
Have a look if that answers your question, if not let me know and i can send you some links or screen shots.
- j_hardin80
  Nimbostratus
  Oct 03, 2023
  Sorry, yes this is HTTPS traffic.
  I'm not so sure we are worried about granularity at this point, so you are saying I should remove the "NO_TLSv1.3" and add the NO_TLSv1 and NO_TLSv1.1 in the options on the client ssl profile?
  But how can find out if there are any other virtual servers using that same clent ssl profile before I make any changes?
  Thank you!
  - PSFletchTheTek
    MVP
    Oct 03, 2023
    Ok lets start from a test. If you can find a device that runs nmap that can get to the external interface try running this,
    nmap --script ssl-enum-ciphers -p 443 <Your domain name here.com>
    
    This should show you what you are dealing with and a method to prove that its worked!
    
    Then under your ssl profile you need to chnage the config from "Basic" to "Advanced"
    Then you'll see the Options List
    
    Here is mine, it appears its flow down so NO DTLSv1.2 turns off everything below that and leaves TLSv1.3.
    I don't know a location to see where a profile is used in a virtual server, but if you get a ucs file or the internal conf files out using the cli you could do a quick word search in the config maybe?
    
    But you can go into the certificates and see which profiles they are used in which might get you "close" to the same place.
    
    Does that help any more?
T-Trust
Cirrostratus
Oct 04, 2023
Hello,
I hope this information will help you, So i think you can custom SSL profile with specific cipher for SSL handshake with client side or server side, Please following article below,
How to disable SSL protocols or specific versions of TLS on an SSL profile such as TLS 1.0 and TLS 1.1 (f5.com)
In case you want to use TLSv1.2, You can using this string in custom SSL cipher "DEFAULT:TLSv1_2:!TLSv1:!TLSv1_1"

Forum Discussion

TLS1

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Options No TLSv1 and No TLSv1.1 set but curl still shows curl .. -tls1 connects

TLS1.x Padding Vulnerability Workaround and EAS

New Cipher for TLS1.x Padding Vulnerability

Re: Cipher Suite Practices and Pitfalls

Cipher Rules And Groups in BIG-IP v13

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS