Forum Discussion

j_hardin80's avatar
j_hardin80
Icon for Nimbostratus rankNimbostratus
Oct 03, 2023

TLS1

Forgive me but I'm pretty green when it comes to these F5's. We have an F5 LTM that is load balancing our internal and external email. We just had a pen test done and they saw TLS1 and 1.1 open from ...
security
j_hardin80's avatar
j_hardin80
Icon for Nimbostratus rankNimbostratus

Sorry, yes this is HTTPS traffic.

I'm not so sure we are worried about granularity at this point, so you are saying I should remove the "NO_TLSv1.3" and add the NO_TLSv1 and NO_TLSv1.1 in the options on the client ssl profile?

But how can find out if there are any other virtual servers using that same clent ssl profile before I make any changes?

Thank you!

PSFletchTheTek's avatar
PSFletchTheTek
Icon for MVP rankMVP
Oct 03, 2023

Ok lets start from a test. If you can find a device that runs nmap that can get to the external interface try running this,
nmap --script ssl-enum-ciphers -p 443 <Your domain name here.com>

This should show you what you are dealing with and a method to prove that its worked!

Then under your ssl profile you need to chnage the config from "Basic" to "Advanced"
Then you'll see the Options List

Here is mine, it appears its flow down so NO DTLSv1.2 turns off everything below that and leaves TLSv1.3.
I don't know a location to see where a profile is used in a virtual server, but if you get a ucs file or the internal conf files out using the cli you could do a quick word search in the config maybe?

But you can go into the certificates and see which profiles they are used in which might get you "close" to the same place.

Does that help any more?

 

  • j_hardin80's avatar
    j_hardin80
    Icon for Nimbostratus rankNimbostratus
    Oct 03, 2023

    If that is the case then I'm not sure where the TLS is showing up as being open, in our profile we have NO_TLSv1.3 so that should cover 1 and 1.1.

    Does it use the Options if it's greyed out or do I need to actually select the checkbox for the profile to "use" it?

    • PSFletchTheTek's avatar
      PSFletchTheTek
      Icon for MVP rankMVP
      Oct 03, 2023

      Now, i used the cyphers profile which also controled tls1.0, 1.1 1.2 etc.
      And no tls1.3 basically turned it all of.
      But i needed that nop dtls1.2 for it to work. So maybe one is covering up the other thinking about it.

      The best thing to do, is run that nmap command so you can see what you are playing with and work from there.

      • j_hardin80's avatar
        j_hardin80
        Icon for Nimbostratus rankNimbostratus
        Oct 03, 2023

        That's what I'm saying though.

        ours has NO_TLSv1.3 so that should block 1 and 1.1 but our pen test says 1 and 1.1 is open