Forum Discussion

Vijay_01's avatar
Vijay_01
Icon for Altostratus rankAltostratus
Jun 21, 2023

TLSv1.0 and TLSv1.1 disable in Device Certificate

Hi Team,

Recently, the vulnerability management team in our organization gave a report where they mentioned that the device SSL certificate (self-signed/CA-signed) used to access the F5 GUI has TLSv1.0 and TLSv1.1 enabled and we need to disable it. In case of VIP (client-ssl profile), I know how to disable it under the client-ssl profile settings, but I have no idea how can we disable the obsolete TLS versions for the device cert (as there is no ssl profile for device cert).

Vijay

  • Hi Vijay_01 , 

    Those Articles will help you : 
    https://my.f5.com/manage/s/article/K40232071

    https://my.f5.com/manage/s/article/K13405

    it ourlines the below steps , so try to mimc it : 

    Procedures
    
    Listing the current Configuration utility cipher string
    Restricting Configuration utility access to clients who use high-encryption SSL ciphers
    Listing the current Configuration utility cipher string
    
    Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure:
    
    Impact of procedure: Performing the following procedure should not have a negative impact on your system.
    
    Log in to the tmsh utility by typing the following command:
    tmsh
    
    To list the currently configured cipher string, type the following command:
    list /sys httpd ssl-ciphersuite
    
    For example, the BIG-IP 11.0.0 system displays the following cipher string:
    
    ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
    
    Restricting Configuration utility access to clients who use high-encryption SSL ciphers
    
    Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility.
    
    Log in to the tmsh utility by typing the following command:
    tmsh
    
    To restrict Configuration utility access to clients using high-encryption ciphers, type the following command:
    modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4'
    
    Save the configuration change by typing the following command:
    save /sys config

     

  • Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:

    tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'

    tmsh save sys config

    That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂

     

2 Replies

  • Hi Vijay_01 , 

    Those Articles will help you : 
    https://my.f5.com/manage/s/article/K40232071

    https://my.f5.com/manage/s/article/K13405

    it ourlines the below steps , so try to mimc it : 

    Procedures
    
    Listing the current Configuration utility cipher string
    Restricting Configuration utility access to clients who use high-encryption SSL ciphers
    Listing the current Configuration utility cipher string
    
    Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure:
    
    Impact of procedure: Performing the following procedure should not have a negative impact on your system.
    
    Log in to the tmsh utility by typing the following command:
    tmsh
    
    To list the currently configured cipher string, type the following command:
    list /sys httpd ssl-ciphersuite
    
    For example, the BIG-IP 11.0.0 system displays the following cipher string:
    
    ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
    
    Restricting Configuration utility access to clients who use high-encryption SSL ciphers
    
    Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility.
    
    Log in to the tmsh utility by typing the following command:
    tmsh
    
    To restrict Configuration utility access to clients using high-encryption ciphers, type the following command:
    modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4'
    
    Save the configuration change by typing the following command:
    save /sys config

     

  • Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:

    tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'

    tmsh save sys config

    That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂