cancel
Showing results for 
Search instead for 
Did you mean: 

Stengthen ciphers for TLS v1.1

Doran_Lum
Nimbostratus
Nimbostratus

Hi all, what other parameters can I add on to my current TLS v1.1 ciphers below ? Some of my VIPs are getting TLS triple handshake vulnerability on F5 client ssl profile. The reason we can't make a jump to TLS v1.2 yet is because we don't want to create impact on clients who may not be ready yet.

 

Current ciphers: DEFAULT:!TLSv1

2 REPLIES 2

Samir
Nacreous
Nacreous

In this case you don't need to do any thing to allow tls1.1. By default F5 BIGIP support TLS1.0, TLS1.1 & TLS1.2 unless disable any. I can see current cipher which is disable on SSL Profile TLS1.0[DEFAULT:!TLSv1].

 

Run below command to check if traffic is coming to via for ciphers TLS1.1 or TLS1.2, etc.

 

tmsh show ltm profile client-ssl <SSL_Profile_Name> raw

 

Lidev
MVP
MVP

Hi Doran,

Which version of the BIGIP do you use ?

By default on versions later than 13.0.0 the variable tmm.ssl.ExtmsEnabled was enable.

REF-https://support.f5.com/csp/article/K66202244

 

Regards