Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Go to solution
Cpet
Altocumulus
Altocumulus

‎22-Feb-2023 00:05

Hi all,

Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.

Thank you in advance,

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 04:11 - edited ‎22-Feb-2023 04:12

try this irule:

when CLIENT_ACCEPTED {
    SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 01:01

here is a link that shows you how,:

https://support.f5.com/csp/article/K33000012

you do it from SSL CLient profile.

 

0 Kudos

Go to solution
Cpet
Altocumulus
Altocumulus
In response to mihaic

‎22-Feb-2023 01:31

Hi Mihaic,

Thanks for your responce.
I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?

 

0 Kudos

Go to solution
P_Kueppers
MVP
MVP
In response to Cpet

‎22-Feb-2023 02:28

Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server. 

0 Kudos

Go to solution
Cpet
Altocumulus
Altocumulus
In response to P_Kueppers

‎22-Feb-2023 03:04

Hi,
Correct , but i don't want to create a lot of SSL profiles.Also I wanted to know if it was possible to do it with an irule.

Thanks.

 

 

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 02:03 - edited ‎22-Feb-2023 02:35

Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.

You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:

when CLIENTSSL_CLIENTHELLO {
    if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
        reject }
    else
    {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
    }

}

 

Go to solution
Cpet
Altocumulus
Altocumulus
In response to mihaic

‎22-Feb-2023 03:08

In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
I will try the suggested irule.

Thanks

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 04:11 - edited ‎22-Feb-2023 04:12

try this irule:

when CLIENT_ACCEPTED {
    SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

0 Kudos

Go to solution
Cpet
Altocumulus
Altocumulus
In response to mihaic

‎22-Feb-2023 04:53

It works!
Thank you for your support.

0 Kudos
Copyright © 2023 Khoros, LLC