Forum Discussion
j_hardin80
Nimbostratus
NimbostratusTLS1
Forgive me but I'm pretty green when it comes to these F5's. We have an F5 LTM that is load balancing our internal and external email. We just had a pen test done and they saw TLS1 and 1.1 open from ...
j_hardin80Nimbostratus
NimbostratusIf that is the case then I'm not sure where the TLS is showing up as being open, in our profile we have NO_TLSv1.3 so that should cover 1 and 1.1.
Does it use the Options if it's greyed out or do I need to actually select the checkbox for the profile to "use" it?
Now, i used the cyphers profile which also controled tls1.0, 1.1 1.2 etc.
And no tls1.3 basically turned it all of.
But i needed that nop dtls1.2 for it to work. So maybe one is covering up the other thinking about it.
The best thing to do, is run that nmap command so you can see what you are playing with and work from there.
- j_hardin80
That's what I'm saying though.
ours has NO_TLSv1.3 so that should block 1 and 1.1 but our pen test says 1 and 1.1 is open
yeah i think i made a mistake as the cypher profile overrides some of that config and made it work.
no tls1.3 will not enable it, the config is a bit backwards. "enable" NO TLS for example is a positive then a negative.
So if you want tls 1.3 then you need to take that out of enable options.This issue i thnk i had, is that enable options needs something in there to work.
Have you got a test environment you could look at and test before you do this to see what happens.
- j_hardin80
yes, let's say we DO NOT want TLS 1, 1.1, 1.2 and 1.3 for this sake, our config has "enabled" NO_TLSv1.3 so that should block 1.3, 1.2, 1.1, and 1 correct?
BUT, if that is the case then I'm not sure where the TLS 1 and 1.1 is showing for the pen test as it shows 1 and 1.1 is active so therefore the above isn't working by blocking all the TLS version.