v11.3 v11.4.1 server ssl profile change of behaviour? TLS1.2 used by default

Question

Hi
using the default server SSL profile in v11.3 (hf8), we see that the bigip uses tls1.0 towards the server. After an upgrade to 11.4.1 (hf4), we see that tls 1.2 is used (rejected by server in our case).&nbsp;

I haven't found any document on AskF5 listing such change of behaviour, anyone could point me to some if any? Or a document that list the default behaviour (no cipher but tls version).&nbsp;

We do not want to change the server ssl profile because we use APM and there are several backend servers involved. How can I change/force the TLS version serverside in an iRule?&nbsp;

Thanks. Alex&nbsp;

dan_l1 · Answer

TLS 1.0 was/is vulnerable to BEAST, pretty sure that's why it defaults to 1.2 in newer code levels.. see: SOL13400&nbsp;

sulaiman_85782 · Answer

We experienced a similar issue. We created a new Server Side SSL profile, where we enabled the No TLSv1.1 and No TLSv1.2 options.&nbsp;
Once we enabled this on the ServerSide SSL Profile our apps started working.&nbsp;

cory_50405 · Answer

You can change the cipher string in your server SSL profile like this, as Sulaiman has done:&nbsp;
DEFAULT:!TLSv1_2:!TLSv1_1&nbsp;

Forum Discussion

v11.3 > v11.4.1 server ssl profile change of behaviour? TLS1.2 used by default

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

2026 301a exam

F5OS login with admin/root failed via console

UCS Encryption Question

Related Content

F5 BIG-IP Advanced WAF – "dos profile" reporting

F5 BIG-IP Advanced WAF – DOS profile configuration options.

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

SSL Profiles Part 8: Client Authentication

How OneConnect Profile works with Cookie Persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS