31-Jan-2023 03:46
After an audit, required to disable TLSv1.1 on our new F5 VM LTM's
Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl
Then sign in to bash, following command:
#openssl s_client - connect n.n.n.n:443 -tls1_1
Command displays the Server certificate
I then tried #openssl s_client - connect n.n.n.n:443 -tls1 (as this option available)
- No peer certificates available / No client certifcate CA names sent / SSL handshake has read 0 bytes etc..
31-Jan-2023 06:36
@richy01908 is it possible for you to share the configuration of the SSL profile with us? Purely based on the response it might be a case that the SSL cipher suite that is associated to that SSL profile has TLS1.1 ciphers in it. You might have to create a custom SSL cipher suite string to enter that doesn't include TLS1.1.
31-Jan-2023 07:16
Hi,
So to the vip where this profile is configured can you run nmap?
nmap --script ssl-enum-ciphers -p 443 <my ip or dns>
This should tell you what you have.
I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
So i made a custom cypher rule and group and applied that to the clientssl profile i was using.
I found that nmap command gave me some good output to help fault find the issue.