cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Cipher Rule for just for TLS1.3

warbie
Nimbostratus
Nimbostratus

I'm running 15.0.1 on a pair for 2000s and I was trying to put a Cipher rule that just encompassed TLS1.3 so I can include with my other ciphers in a group. Seems like I can only do 1.3 with TLS13-AES128-GCM-SHA256 and TLS13-AES256-GCM-SHA384, but I can't seem to shave off all the other included ciphers with my attempts. I really feel like I'm doing this wrong. Our security team wants to depreciate TLS1.1 and lower and I just want to make sure we are looking forward until TLS1.3 becomes more widely used.

 

Please help.

Here is what I have: AES-GCM:!DHE:!ECDHE:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:!SHA:!RSA+AES:!RSA

  • ECDH-RSA-AES128-GCM-SHA256/TLS1.2
  • ECDH-RSA-AES256-GCM-SHA384/TLS1.2
  • ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
  • ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
  • ECDH-ECDSA-AES128-GCM-SHA256/TLS1.2
  • ECDH-ECDSA-AES256-GCM-SHA384/TLS1.2
  • DHE-DSS-AES128-GCM-SHA256/TLS1.2
  • DHE-DSS-AES256-GCM-SHA384/TLS1.2
  • TLS13-AES128-GCM-SHA256/TLS1.3
  • TLS13-AES256-GCM-SHA384/TLS1.3

 

 

 

1 ACCEPTED SOLUTION

Smithy
Cirrostratus
Cirrostratus

0691T000008G5vBQAS.png

ltm cipher rule mozilla_modern_cipher_rule_v14 {

  cipher TLSv1_3

  dh-groups DEFAULT

  signature-algorithms DEFAULT

}

 

This works for me in BIG-IP 14.1.x

View solution in original post

4 REPLIES 4

Smithy
Cirrostratus
Cirrostratus

0691T000008G5vBQAS.png

ltm cipher rule mozilla_modern_cipher_rule_v14 {

  cipher TLSv1_3

  dh-groups DEFAULT

  signature-algorithms DEFAULT

}

 

This works for me in BIG-IP 14.1.x

warbie
Nimbostratus
Nimbostratus

Brett I'm rather embarrassed that I didn't try that. Thanks! You are awesome!

wlopez
Cirrostratus
Cirrostratus

I haven't tried v15 yet.

 

But on v14.1, TLS 1.3 is not included by default on the client ssl profiles.

When you create the profile you need to disable the default option named 'No TLSv1.3' from the option list.

The combination of disabling that option and selecting the cipher group created with TLS1.3 is what actually activates the protocol on the client profile.

warbie
Nimbostratus
Nimbostratus

Right. My issue was trying to make a cipher rule that I could add to a group that was just including the TLSV1_3 which Brett my attention to. Thanks wlopez.