Forum Discussion

richy01908's avatar
richy01908
Icon for Nimbostratus rankNimbostratus
Jan 31, 2023

LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?

After an audit, required to disable TLSv1.1 on our new F5 VM LTM's

Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl

Then sign in to bash, following command:

#openssl s_client - connect n.n.n.n:443 -tls1_1

Command displays the Server certificate

I then tried  #openssl s_client - connect n.n.n.n:443 -tls1 (as this option available)

- No peer certificates available / No client certifcate CA names sent / SSL handshake has read 0 bytes etc..

cloud
devops
security

3 Replies

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jan 31, 2023

    richy01908 is it possible for you to share the configuration of the SSL profile with us? Purely based on the response it might be a case that the SSL cipher suite that is associated to that SSL profile has TLS1.1 ciphers in it. You might have to create a custom SSL cipher suite string to enter that doesn't include TLS1.1.

  • mihaic's avatar
    mihaic
    Icon for MVP rankMVP
    Jan 31, 2023

    you should not use that default clientssl profile.

    You should have a custom ssl profile for each vip.

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for MVP rankMVP
    Jan 31, 2023

    Hi,
    So to the vip where this profile is configured can you run nmap?
    nmap --script ssl-enum-ciphers -p 443 <my ip or dns>

    This should tell you what you have.
    I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
    So i made a custom cypher rule  and group and applied that to the clientssl profile i was using.

    I found that nmap command gave me some good output to help fault find the issue.