Forum Discussion
Vijay_01
Altostratus
AltostratusTLSv1.0 and TLSv1.1 disable in Device Certificate
Hi Team,
Recently, the vulnerability management team in our organization gave a report where they mentioned that the device SSL certificate (self-signed/CA-signed) used to access the F5 GUI has TLSv1.0 and TLSv1.1 enabled and we need to disable it. In case of VIP (client-ssl profile), I know how to disable it under the client-ssl profile settings, but I have no idea how can we disable the obsolete TLS versions for the device cert (as there is no ssl profile for device cert).
Vijay
Hi Vijay_01 ,
Those Articles will help you :
https://my.f5.com/manage/s/article/K40232071https://my.f5.com/manage/s/article/K13405
it ourlines the below steps , so try to mimc it :
Procedures Listing the current Configuration utility cipher string Restricting Configuration utility access to clients who use high-encryption SSL ciphers Listing the current Configuration utility cipher string Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the tmsh utility by typing the following command: tmsh To list the currently configured cipher string, type the following command: list /sys httpd ssl-ciphersuite For example, the BIG-IP 11.0.0 system displays the following cipher string: ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2 Restricting Configuration utility access to clients who use high-encryption SSL ciphers Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility. Log in to the tmsh utility by typing the following command: tmsh To restrict Configuration utility access to clients using high-encryption ciphers, type the following command: modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4' Save the configuration change by typing the following command: save /sys configAlternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:
tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'
tmsh save sys config
That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂
Hi Vijay_01 ,
Those Articles will help you :
https://my.f5.com/manage/s/article/K40232071https://my.f5.com/manage/s/article/K13405
it ourlines the below steps , so try to mimc it :
Procedures Listing the current Configuration utility cipher string Restricting Configuration utility access to clients who use high-encryption SSL ciphers Listing the current Configuration utility cipher string Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the tmsh utility by typing the following command: tmsh To list the currently configured cipher string, type the following command: list /sys httpd ssl-ciphersuite For example, the BIG-IP 11.0.0 system displays the following cipher string: ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2 Restricting Configuration utility access to clients who use high-encryption SSL ciphers Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility. Log in to the tmsh utility by typing the following command: tmsh To restrict Configuration utility access to clients using high-encryption ciphers, type the following command: modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4' Save the configuration change by typing the following command: save /sys config- whisperer
MVP
Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:
tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'
tmsh save sys config
That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂