Hi all, what other parameters can I add on to my current TLS v1.1 ciphers below ? Some of my VIPs are getting TLS triple handshake vulnerability on F5 client ssl profile. The reason we can't make a jump to TLS v1.2 yet is because we don't want to create impact on clients who may not be ready yet.
Current ciphers: DEFAULT:!TLSv1
In this case you don't need to do any thing to allow tls1.1. By default F5 BIGIP support TLS1.0, TLS1.1 & TLS1.2 unless disable any. I can see current cipher which is disable on SSL Profile TLS1.0[DEFAULT:!TLSv1].
Run below command to check if traffic is coming to via for ciphers TLS1.1 or TLS1.2, etc.
tmsh show ltm profile client-ssl <SSL_Profile_Name> raw
Which version of the BIGIP do you use ?
By default on versions later than 13.0.0 the variable tmm.ssl.ExtmsEnabled was enable.