Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Enableing TLS1.2

Go to solution
mahjoub
Cirrus
Cirrus

‎29-Nov-2020 05:46

Hi Dears,

I need to enable and use TLS 1.2 only instead of 1.0 or 1.1, for one specific published server.

my BIG-IP version is 12.0 VE.

this output may help you

 ssl-ciphersuite DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP

please your kind assistance.

 

Thanks,

Osama

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Mayur_Sutare
MVP
MVP

‎30-Nov-2020 04:44

Hi mahjoub,

 

Yes, you can configure it through GUI.

 

  1. You need to create new client SSL Profile - Goto Local Traffic > Profiles > SSL > Client and create new profile.
  2. Under Advance setting, select Custom Cipher Suits to block required TLS/SSL versions. Appending "!" before any TLS/SSL, encryption parameter in cipher string blocks that particular version.
  3. There is one more way to configure same. Under client SSL Advance Configuration, select Options List in Options sections. Then You will get options to enable/disable particular TLS/SSL version. e.g. for blocking TLS1.1, you can enable No TLS1.1 in this section to it will block TLS1.1.

 

This way you can achieve your requirement. You can refer below F5 articles for more details.

 

https://support.f5.com/csp/article/K13171

https://support.f5.com/csp/article/K33000012

 

Hope it helps!

Mayur

 

View solution in original post

5 REPLIES 5

Go to solution
Simon_Blakely
F5 Employee
F5 Employee

‎29-Nov-2020 14:40 - last edited on ‎04-Jun-2023 21:10 by Fog

You need to create a specific Client-SSL profile for your virtual server

The cipher string should be

'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!TLSv1:!TLSv1_1'

You can also disable TLSv1 and TLSv1.1 Protocol as options in the client-SSL profile to ensure that those protocols cannot be negotiated.

0 Kudos

Go to solution
mahjoub
Cirrus
Cirrus
In response to Simon_Blakely

‎29-Nov-2020 23:52

Hi Simon,

thanks for your reply, I already have the client profile and associated with server, now how to enable TLS 1.2 through GUI.

0 Kudos

Go to solution
Ecesureshkumar
Nimbostratus
Nimbostratus

‎29-Nov-2020 23:21

Create Cipher String with

 

DEFAULT:!TLSv1:!TLSv1_1:!DHE:!AES-CBC+SHA

0 Kudos

Go to solution
mahjoub
Cirrus
Cirrus
In response to Ecesureshkumar

‎29-Nov-2020 23:54

Hi Ecesureshkumar,

is there any way to do it through GUI?

 

thanks,

 

0 Kudos

Go to solution
Mayur_Sutare
MVP
MVP

‎30-Nov-2020 04:44

Hi mahjoub,

 

Yes, you can configure it through GUI.

 

  1. You need to create new client SSL Profile - Goto Local Traffic > Profiles > SSL > Client and create new profile.
  2. Under Advance setting, select Custom Cipher Suits to block required TLS/SSL versions. Appending "!" before any TLS/SSL, encryption parameter in cipher string blocks that particular version.
  3. There is one more way to configure same. Under client SSL Advance Configuration, select Options List in Options sections. Then You will get options to enable/disable particular TLS/SSL version. e.g. for blocking TLS1.1, you can enable No TLS1.1 in this section to it will block TLS1.1.

 

This way you can achieve your requirement. You can refer below F5 articles for more details.

 

https://support.f5.com/csp/article/K13171

https://support.f5.com/csp/article/K33000012

 

Hope it helps!

Mayur

 

Copyright © 2023 Khoros, LLC