f5 TLS Versions on Config Utility

PSFletchTheTek · ‎11-Oct-2022

Hi All,
I've just been scanned on a ITHC, it's identied that the config utility is allowing TLS 1.0 and 1.1 to still be negotiated.
Is there a way i can set the web service on the config util to only allow TLS 1.2 and 1.3 or even just 1.3?

Thanks

Fletch

Mohamed_Salah_ · ‎11-Oct-2022

Hello,

For the F5 management (F5 GUI and SSH), check out the below articles:

https://support.f5.com/csp/article/K40232071

https://support.f5.com/csp/article/K22426638

For SSL profiles for services published through F5, check the below:

Go to Local Traffic > Profiles > SSL > Client.
Enter SSL profile
For Configuration, select Advanced.
If you are creating a new profile, under Options, select the Custom check box.
For Options, select Options List.
Under Options List, for Available Options, press Shift, select No SSL, No SSLv2, No SSLv3, and No TLSv1, and then click Enable
- this is just ena example on how to disable some TLS weak versions.
- (enabling means disabling these options

https://support.f5.com/csp/article/K31320003

https://support.f5.com/csp/article/K33000012

PSFletchTheTek · ‎11-Oct-2022

Thanks, i've done it for services before.
it's the gui side. Do i need to run both of those KB's or is this one https://support.f5.com/csp/article/K40232071 enough?
it looks like it does the same and a little more as it covers or can cover ciphers.

Thanks for the quick responce!

CA_Valli · ‎11-Oct-2022

You're correct, they will have the same impact. You don't need to run them both.

Regarding TLSv1.3 , BIG-IP version prior to 17.0 don't support in on the configuration utiity.

DevCentral

f5 TLS Versions on Config Utility

MFA required on DevCentral