Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x

Ghislain_Pellet
Nimbostratus
Nimbostratus

‎17-May-2018 11:20 - last edited on ‎02-Jun-2023 09:22 by Fog

Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side).

How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation?

The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1

tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1'

      ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
0:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES     SHA     EDH/RSA
1:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES     SHA     EDH/RSA
2:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
3:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES     SHA     EDH/RSA
4:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES     SHA     EDH/RSA
5:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA

The client browser is Safari 11.1 (the latest version at time of writing).

Labels:
0 Kudos
2 REPLIES 2

nathe
Cirrocumulus
Cirrocumulus

‎17-May-2018 13:00

Ghislaine, have you seen this solution Configure the cipher strength of SSL profiles

 

It suggests adding @strength at the end of the cipher string.

 

Hope this helps

 

N

 

0 Kudos

StephanManthey
MVP
MVP

‎18-May-2018 04:28 - last edited on ‎05-Jun-2023 13:05 by Fog

Hi Ghislain,

if it´s generally just about ordering by protocol preference, the following cipher string will do it: 
DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1
.

Please check via command line: 

tmm --clientciphers 'DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1'

The "

+
" prefix lowers the preference of the specifier (applies to handshake-methods, bulk-crypto and message-digest algorithms as well).

Back to your specific case it would be the following: 

DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1

Verfication: 

tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1' 

       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
 1:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
 2:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
 3:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
 4:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
 5:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA

In a previous post ("TMOS SSL TLS Cipher Cheat Sheet") I tried to summarize the different approaches for cipher specification including aliases and keywords.

Cheers, Stephan

0 Kudos
Copyright © 2023 Khoros, LLC