Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

justin_westove1
Nimbostratus
Nimbostratus

We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated that they're sending a list of ciphers that they support when they initially connect (TLSv1, 1.1, and 1.2). Even though they're supporting 1.2 and we support 1.2 their connection is still using 1.0. Looking at the tmm clientciphers DEFAULT command i see that tls1.0 is ordered above 1.1 and 1.2. Is there a way to reorder this or priortize 1.2 and 1.1 over 1.0?

 

10 REPLIES 10

Hannes_Rapp
Nimbostratus
Nimbostratus

Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e:

DEFAULT:+TLSv1

Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.

So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?

Hannes_Rapp_162
Nacreous
Nacreous

Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

I.e:

DEFAULT:+TLSv1

Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.

So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?

Hannes_Rapp_162
Nacreous
Nacreous

I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

 tmm --clientciphers 'DEFAULT:+TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA

Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.

Hannes_Rapp
Nimbostratus
Nimbostratus

I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

 tmm --clientciphers 'DEFAULT:+TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA

Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.