cancel
Showing results for 
Search instead for 
Did you mean: 

Disable TLS verion 1.0 and Reconfig Self-signed Certificate on Management Interface

Hoang_Hung
Altostratus
Altostratus

Hi all

We have using have F5 running HA mode.

After check security recommned PCI DSS V3.2 we have 2 error release

  1. Disable TLS 1.0 Protocol Detection on Management Interface (using HTTPS)
  2. Reconfig Self-signed Certificate on Management Interface

Please help me config 2 issue it

 

Thanks all

Hung Hoang

3 REPLIES 3

NAG
Cirrostratus
Cirrostratus

HI Hoang,

 

1) Disable TLS 1.0 Protocol Detection on Management Interface (using HTTPS)

 

ANS: if you want to restrict to only TLS 1.1 and TLS 1.2 ciphers and disable use of TLS 1.0, then type the following command :

#tmsh modify /sys httpd ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1

#tmsh save sys config

#bigstart restart httpd

 

2) Reconfig Self-signed Certificate on Management Interface

 

Ans:

K42531434: Replacing the Configuration utility's self-signed SSL certificate with a CA-signed SSL certificate

https://support.f5.com/csp/article/K42531434

 

Hope this helps.

 

Let me know if you have any questions,

Nag

 

 

Hi  

1) Disable TLS 1.0 Protocol Detection on Management Interface (using HTTPS)

What happent if i use command: #tmsh modify /sys httpd ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1

#tmsh save sys config

#bigstart restart httpd

>> I think it will Impact all running service on F5 deivice. We on apply on Management Interface..

Please recommend to you.

2) Reconfig Self-signed Certificate on Management Interface

we only reconfig on Management interface.

> Plz help me

 

Thanks NAG

NAG
Cirrostratus
Cirrostratus

Hi Hoang,

 

>> I think it will Impact all running service on F5 deivice. We on apply on Management Interface..

Please recommend to you

 

ANS: It will not impact all the services. It only applies to management GUI interface(configuration Utility) which is accessed via HTTPS.

 

Here is the documentation from F5 your conformation.

https://clouddocs.f5.com/training/community/public-cloud/html/class4/module2/mgmt-cipher.html

 

>> we only reconfig on Management interface.

 

May be you are thinking  Configuration utility and Management Interface are 2 different things. F5 calls Management interface as  Configuration utility.

 

"Configuration utility = Management Interface"

 

Therefore, following article is for management interface.

K42531434: Replacing the Configuration utility's self-signed SSL certificate with a CA-signed SSL certificate

https://support.f5.com/csp/article/K42531434

 

 

Hope this helps.

Thank you

Nag