Showing results for 
Search instead for 
Did you mean: 

TLS version 1.0 on Client side and TLS version 1.2 on Server side


Hi All,


I'm hoping you can help me with configuration of ssl profiles on the LTM.


We have a legacy java application that can only establish TLS 1.0 outbound connections, but the server it's trying to establish connections to will only accept a minimum of TLS 1.2.


We don't need to decrypt the traffic, just to enforce TLS 1.2 on the server side.


How would you configure the clientssl/serverssl profiles for this?


Many thanks for your help!



Just to add we are on BIG-IP version 15. We don't have SSL Orchestrator or SSL Forward Proxy license.

As client side SSL and Server side SSL works independently for maintaining SSL session between client & F5 and between F5 and backend server respectively, so your requirement should work.


To configure SSL profiles, you need to disable and/or enable required TLS version under client and server ssl profiles under advance tab--> ciphers options list. here by selecting Cipher group and enable desired TLS versions under options list. If you are selecting Cipher Suits option, then you can define specific cipher suits under the provided field. e.g. DEFAULT:!TLSv1:!TLSv1_1 This is example of cipher suits for your reference. This given cipher suit will block TLS1.0 and TLS1.1 versions. You can even apply specific encryption, key parameters under cipher suit along with keyword used for blocking TLS versions.


Hope it helps!

Mayur Sutare


Hi Mayur,


Thanks very much for your response!


I followed your advice and on the serverssl profile I blocked TLS v1/1.1 with DEFAULT:!TLSv1:!TLSv1_1:!ECDHE_ECDSA , I added the exclude for ECDHE just to test if this was working.


I verified what ciphers this would include first:


[xxxxxxbigip] log # tmm --serverciphers 'DEFAULT:!TLSv1:!TLSv1_1:!ECDHE_ECDSA'

    ID SUITE              BITS PROT  CIPHER       MAC   KEYX

 0: 49199 ECDHE-RSA-AES128-GCM-SHA256   128 TLS1.2 AES-GCM       SHA256 ECDHE_RSA

 1: 49171 ECDHE-RSA-AES128-CBC-SHA     128 TLS1.2 AES         SHA   ECDHE_RSA

 2: 49191 ECDHE-RSA-AES128-SHA256     128 TLS1.2 AES         SHA256 ECDHE_RSA

 3: 49200 ECDHE-RSA-AES256-GCM-SHA384   256 TLS1.2 AES-GCM       SHA384 ECDHE_RSA

 4: 49172 ECDHE-RSA-AES256-CBC-SHA     256 TLS1.2 AES         SHA   ECDHE_RSA

 5: 49192 ECDHE-RSA-AES256-SHA384     256 TLS1.2 AES         SHA384 ECDHE_RSA

 6:  156 AES128-GCM-SHA256        128 TLS1.2 AES-GCM       SHA256 RSA

 7:  47 AES128-SHA            128 TLS1.2 AES         SHA   RSA

 8:  47 AES128-SHA            128 DTLS1 AES         SHA   RSA

 9:  60 AES128-SHA256          128 TLS1.2 AES         SHA256 RSA

10:  157 AES256-GCM-SHA384        256 TLS1.2 AES-GCM       SHA384 RSA

11:  53 AES256-SHA            256 TLS1.2 AES         SHA   RSA

12:  53 AES256-SHA            256 DTLS1 AES         SHA   RSA

13:  61 AES256-SHA256          256 TLS1.2 AES         SHA256 RSA

14:  65 CAMELLIA128-SHA         128 TLS1.2 CAMELLIA      SHA   RSA

15:  132 CAMELLIA256-SHA         256 TLS1.2 CAMELLIA      SHA   RSA

16:  158 DHE-RSA-AES128-GCM-SHA256    128 TLS1.2 AES-GCM       SHA256 EDH/RSA

17:  51 DHE-RSA-AES128-SHA        128 TLS1.2 AES         SHA   EDH/RSA

18:  51 DHE-RSA-AES128-SHA        128 DTLS1 AES         SHA   EDH/RSA

19:  103 DHE-RSA-AES128-SHA256      128 TLS1.2 AES         SHA256 EDH/RSA

20:  159 DHE-RSA-AES256-GCM-SHA384    256 TLS1.2 AES-GCM       SHA384 EDH/RSA

21:  57 DHE-RSA-AES256-SHA        256 TLS1.2 AES         SHA   EDH/RSA

22:  57 DHE-RSA-AES256-SHA        256 DTLS1 AES         SHA   EDH/RSA

23:  107 DHE-RSA-AES256-SHA256      256 TLS1.2 AES         SHA256 EDH/RSA

24:  69 DHE-RSA-CAMELLIA128-SHA     128 TLS1.2 CAMELLIA      SHA   EDH/RSA

25:  136 DHE-RSA-CAMELLIA256-SHA     256 TLS1.2 CAMELLIA      SHA   EDH/RSA

26: 4865 TLS13-AES128-GCM-SHA256     128 TLS1.3 AES-GCM       NULL  *

27: 4866 TLS13-AES256-GCM-SHA384     256 TLS1.3 AES-GCM       NULL  *




Then I've just done SSLDump and I see the following:


New TCP connection #1: x.x.x.x(50884) <-> x.x.x.x(443)

1 1 0.0023 (0.0023) C>SV3.3(199) Handshake


    Version 3.3


     5f 34 07 21 bb 19 13 72 4d bf 49 3f de e5 13 80

     dc 25 6e 09 85 2a ee 2f 68 73 96 1f 2f e4 c6 8e

    cipher suites





     .............output ommitted.................



    compression methods









xxxxxxxxxxxx*output omitted************




     Unknown extension (0x18)


1 2 0.0032 (0.0009) S>CV3.3(91) Handshake


    Version 3.3


xxxxxxxxxxxx*output omitted************


xxxxxxxxxxxx*output omitted************

    cipherSuite     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    compressionMethod          NULL





1 3 0.0032 (0.0000) S>CV3.3(956) Handshake


1 4 0.0032 (0.0000) S>CV3.3(333) Handshake



xxxxxxxxxxxx*output omitted************

1 5 0.0032 (0.0000) S>CV3.3(4) Handshake


1  0.0246 (0.0214) C>S TCP FIN

1  0.0247 (0.0000) S>C TCP FIN


Even though it's negotiating the right version (3.3) which I believe is TLS 1.2, according to my cipher list it shouldn't offer up ECDHE_ECDSA, which it does in the client hello. Then after the server hello there is just a TCP FIN from the client, so the handshake never completes.


I'll post a picture of the profile config


This is the serverssl profile config - on the ciphers section



On the clientssl profile, I've allowed a cipher suit of DEFAULT as this side can be TLS1 (from client to BIG-IP)