Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Cpet
Nimbostratus
Nimbostratus

Hi all,

Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.

Thank you in advance,

1 ACCEPTED SOLUTION

mihaic
MVP
MVP

try this irule:

when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

View solution in original post

9 REPLIES 9

mihaic
MVP
MVP

here is a link that shows you how,:

https://support.f5.com/csp/article/K33000012

you do it from SSL CLient profile.

 

Hi Mihaic,

Thanks for your responce.
I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?

 

Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server. 

Hi,
Correct , but i don't want to create a lot of SSL profiles.Also I wanted to know if it was possible to do it with an irule.

Thanks.

 

 

mihaic
MVP
MVP

Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.

You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:

when CLIENTSSL_CLIENTHELLO {
if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
reject }
else
{
log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}

}

 

In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
I will try the suggested irule.

Thanks

mihaic
MVP
MVP

try this irule:

when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}

 where vip_ssl_no_TLSv1 is another SSL profile  where you disable whatever you want.

I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1

It works!
Thank you for your support.

KennethGarcia
Nimbostratus
Nimbostratus

Thank you for helping me as well 🙂

Minimal deposit casinos are perfect for people who wish to try their luck without putting too much money at risk. You can locate the best low deposit casinos Canada by going to https://casinosanalyzer.ca/online-casinos/low-deposits This means you may enjoy playing your favourite games without having to make a huge payment.