Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

LTM VM 16.1.2.2 - Disable TLSv1.1 in clientssl, can still Openssl to it?

richy01908
Nimbostratus
Nimbostratus

‎31-Jan-2023 03:46

After an audit, required to disable TLSv1.1 on our new F5 VM LTM's

Following various F5 Documents, enable "No TLSv1.1" in Local Traffic / Profiles / SSl / Client / clientssl

Then sign in to bash, following command:

#openssl s_client - connect n.n.n.n:443 -tls1_1

Command displays the Server certificate

I then tried  #openssl s_client - connect n.n.n.n:443 -tls1 (as this option available)

- No peer certificates available / No client certifcate CA names sent / SSL handshake has read 0 bytes etc..

Labels:
0 Kudos
3 REPLIES 3

Paulius
MVP
MVP

‎31-Jan-2023 06:36

@richy01908 is it possible for you to share the configuration of the SSL profile with us? Purely based on the response it might be a case that the SSL cipher suite that is associated to that SSL profile has TLS1.1 ciphers in it. You might have to create a custom SSL cipher suite string to enter that doesn't include TLS1.1.

0 Kudos

mihaic
MVP
MVP

‎31-Jan-2023 06:53

you should not use that default clientssl profile.

You should have a custom ssl profile for each vip.

0 Kudos

PSFletchTheTek
MVP
MVP

‎31-Jan-2023 07:16

Hi,
So to the vip where this profile is configured can you run nmap?
nmap --script ssl-enum-ciphers -p 443 <my ip or dns>

This should tell you what you have.
I have just done the same for my environment, I found the cypher profile and the "no tls1.1" section argued with each other and i think the cypher would override that filter.
So i made a custom cypher rule  and group and applied that to the clientssl profile i was using.

I found that nmap command gave me some good output to help fault find the issue.


0 Kudos
Copyright © 2023 Khoros, LLC