22-Feb-2023 00:05
Hi all,
Could you help me how to disable only TLS v1 & TLS v1.1 on specific virtual server and no to entire ssl profile.
Thank you in advance,
Solved! Go to Solution.
22-Feb-2023 04:11 - edited 22-Feb-2023 04:12
try this irule:
when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}
where vip_ssl_no_TLSv1 is another SSL profile where you disable whatever you want.
I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1
22-Feb-2023 01:01
here is a link that shows you how,:
https://support.f5.com/csp/article/K33000012
you do it from SSL CLient profile.
22-Feb-2023 01:31
Hi Mihaic,
Thanks for your responce.
I have allready read the suggested article but i want to disable TLS v1 & TLS v1.1 only on a specific virtual server without disable TLS v1 & TLS v1.1 in the SSL profile.Is it possible with an irule for example?
22-Feb-2023 02:28
Create a new SSL-Profile and use your current one as parent. Then deactivate tls1/1.1 and put this on the virtual server.
22-Feb-2023 03:04
Hi,
Correct , but i don't want to create a lot of SSL profiles.Also I wanted to know if it was possible to do it with an irule.
Thanks.
22-Feb-2023 02:03 - edited 22-Feb-2023 02:35
Usually, you have an SSL client profile per virtual server, right? I don't see why you want to do it in an irule.
You can try to reject the connection if it has a TLS version, but I don't know if you can change the TLS version:
when CLIENTSSL_CLIENTHELLO {
if {([SSL::cipher version] equals "TLSv1.1") || ([SSL::cipher version] equals "TLSv1")} {
log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - REJECT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
reject }
else
{
log local0. "DETECTED-TLSv1-CONNECTION - LOG_SSL_LEVEL - ACCEPT Client: [IP::client_addr] [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
}
22-Feb-2023 03:08
In that case i have many VS with the same SSL profile and I wanted to know if it was possible to do it with an irule.
I will try the suggested irule.
Thanks
22-Feb-2023 04:11 - edited 22-Feb-2023 04:12
try this irule:
when CLIENT_ACCEPTED {
SSL::profile vip_ssl_no_TLSv1
}
where vip_ssl_no_TLSv1 is another SSL profile where you disable whatever you want.
I tested with this cipher string : DEFAULT:!TLSv1:!TLSv1_1
22-Feb-2023 04:53
It works!
Thank you for your support.