Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Go to solution
Cpet
Nimbostratus
Nimbostratus

‎22-Feb-2023 00:05

Hi all,

Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.

Thank you in advance,

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 04:11 - edited ‎22-Feb-2023 04:12

try this irule:

when CLIENT_ACCEPTED {
    SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

View solution in original post

0 Kudos
9 REPLIES 9

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 01:01

here is a link that shows you how,:

https://support.f5.com/csp/article/K33000012

you do it from SSL CLient profile.

 

0 Kudos

Go to solution
Cpet
Nimbostratus
Nimbostratus
In response to mihaic

‎22-Feb-2023 01:31

Hi Mihaic,

Thanks for your responce.
I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?

 

0 Kudos

Go to solution
P_Kueppers
MVP
MVP
In response to Cpet

‎22-Feb-2023 02:28

Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server. 

0 Kudos

Go to solution
Cpet
Nimbostratus
Nimbostratus
In response to P_Kueppers

‎22-Feb-2023 03:04

Hi,
Correct , but i don't want to create a lot of SSL profiles.Also I wanted to know if it was possible to do it with an irule.

Thanks.

 

 

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 02:03 - edited ‎22-Feb-2023 02:35

Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.

You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:

when CLIENTSSL_CLIENTHELLO {
    if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
        reject }
    else
    {
        log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
    }

}

 

Go to solution
Cpet
Nimbostratus
Nimbostratus
In response to mihaic

‎22-Feb-2023 03:08

In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
I will try the suggested irule.

Thanks

0 Kudos

Go to solution
mihaic
MVP
MVP

‎22-Feb-2023 04:11 - edited ‎22-Feb-2023 04:12

try this irule:

when CLIENT_ACCEPTED {
    SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

0 Kudos

Go to solution
Cpet
Nimbostratus
Nimbostratus
In response to mihaic

‎22-Feb-2023 04:53

It works!
Thank you for your support.

0 Kudos

Go to solution
KennethGarcia
Nimbostratus
Nimbostratus

‎25-Feb-2023 00:10

Thank you for helping me as well 🙂

Minimal deposit casinos are perfect for people who wish to try their luck without putting too much money at risk. You can locate the best low deposit casinos Canada by going to https://casinosanalyzer.ca/online-casinos/low-deposits This means you may enjoy playing your favourite games without having to make a huge payment.
0 Kudos
Copyright © 2023 Khoros, LLC