SSL Profiles Part 5: SSL Options

Several months ago (ok, maybe lots and lots of months ago), Jason Rahm wrote a great series of Tech Tips that cover the BIG-IP LTM SSL profiles.   SSL Overview and Handshake SSL Certificates ...
Updated Mar 24, 2023
Version 6.0
LTM
security
series-the-ssl-profile
ssl
tech tip
Ludovic_G_11565's avatar
Ludovic_G_11565
Icon for Nimbostratus rankNimbostratus
Oct 13, 2017

This page is missing the following options : * NoTLSv1.1 * NoTLSv1.2

 

I'm trying to figure in which version of the Big IP F5 LTM version these have been introduced.

 

Currently on one of our F5, we have an outdate version BIG-IP 11.2.1 Build 1312.23 Engineering Hotfix HF14. On this version when activating the following options : * NoSSLv2 * NoSSLv3 * NoTLSv1 The client is not able to connect, as TLSv1.1 and TLVSv1.2 are blocked because of options * NoTLSv1

 

In later versions, BIG-IP 11.5.4 Build 2.0.291 Hotfix HF2, the options : * NoTLSv1.1 * NoTLSv1.2

 

Are available.

 

Moreover, due to internal company reasons, we cannot update the version of firmware on the outdate Big IP F5.

 

Can I manage, using an iRule to do the same ?

 

Currently, I did see some iRules which redirect unsecure protocol to specific pages, but this is not what I want to achieve, ideally I would like to be able to handle SSL negotiation and refuse TLSv1.0 and TLSv1.1.

 

Thank you! Ludovic