LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?

richy01908 · ‎31-Jan-2023

After an audit, required to disable TLSv1.1 on our new F5 VM LTM's

Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl

Then sign in to bash, following command:

#openssl s_client - connect n.n.n.n:443 -tls1_1

Command displays the Server certificate

I then tried #openssl s_client - connect n.n.n.n:443 -tls1 (as this option available)

- No peer certificates available / No client certifcate CA names sent / SSL handshake has read 0 bytes etc..

Paulius · ‎31-Jan-2023

@richy01908 is it possible for you to share the configuration of the SSL profile with us? Purely based on the response it might be a case that the SSL cipher suite that is associated to that SSL profile has TLS1.1 ciphers in it. You might have to create a custom SSL cipher suite string to enter that doesn't include TLS1.1.

mihaic · ‎31-Jan-2023

you should not use that default clientssl profile.

You should have a custom ssl profile for each vip.

PSFletchTheTek · ‎31-Jan-2023

Hi,
So to the vip where this profile is configured can you run nmap?
nmap --script ssl-enum-ciphers -p 443 <my ip or dns>

This should tell you what you have.
I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
So i made a custom cypher rule and group and applied that to the clientssl profile i was using.

I found that nmap command gave me some good output to help fault find the issue.

DevCentral

LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?