Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

TLSv1.0 and TLSv1.1 disable in Device Certificate

Go to solution
Vijay_01
Altostratus
Altostratus

‎21-Jun-2023 05:52

Hi Team,

Recently, the vulnerability management team in our organization gave a report where they mentioned that the device SSL certificate (self-signed/CA-signed) used to access the F5 GUI has TLSv1.0 and TLSv1.1 enabled and we need to disable it. In case of VIP (client-ssl profile), I know how to disable it under the client-ssl profile settings, but I have no idea how can we disable the obsolete TLS versions for the device cert (as there is no ssl profile for device cert).

Vijay

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎21-Jun-2023 06:36

Hi @Vijay_01 , 

Those Articles will help you : 
https://my.f5.com/manage/s/article/K40232071

https://my.f5.com/manage/s/article/K13405

it ourlines the below steps , so try to mimc it : 

Procedures

Listing the current Configuration utility cipher string
Restricting Configuration utility access to clients who use high-encryption SSL ciphers
Listing the current Configuration utility cipher string

Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Log in to the tmsh utility by typing the following command:
tmsh

To list the currently configured cipher string, type the following command:
list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.0.0 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

Restricting Configuration utility access to clients who use high-encryption SSL ciphers

Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility.

Log in to the tmsh utility by typing the following command:
tmsh

To restrict Configuration utility access to clients using high-encryption ciphers, type the following command:
modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4'

Save the configuration change by typing the following command:
save /sys config

 

_______________________
Regards
Mohamed Kansoh

View solution in original post

Go to solution
whisperer
Cumulonimbus
Cumulonimbus

‎21-Jun-2023 14:28

Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:

tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'

tmsh save sys config

That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂

 

View solution in original post

2 REPLIES 2

Go to solution
Mohamed_Ahmed_Kansoh
MVP
MVP

‎21-Jun-2023 06:36

Hi @Vijay_01 , 

Those Articles will help you : 
https://my.f5.com/manage/s/article/K40232071

https://my.f5.com/manage/s/article/K13405

it ourlines the below steps , so try to mimc it : 

Procedures

Listing the current Configuration utility cipher string
Restricting Configuration utility access to clients who use high-encryption SSL ciphers
Listing the current Configuration utility cipher string

Before you change the Configuration utility SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Log in to the tmsh utility by typing the following command:
tmsh

To list the currently configured cipher string, type the following command:
list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.0.0 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

Restricting Configuration utility access to clients who use high-encryption SSL ciphers

Impact of procedure: Clients using low-encryption SSL ciphers will not be able to access the Configuration utility.

Log in to the tmsh utility by typing the following command:
tmsh

To restrict Configuration utility access to clients using high-encryption ciphers, type the following command:
modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT40:!EXP:!LOW:!RC4'

Save the configuration change by typing the following command:
save /sys config

 

_______________________
Regards
Mohamed Kansoh

Go to solution
whisperer
Cumulonimbus
Cumulonimbus

‎21-Jun-2023 14:28

Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:

tmsh modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'

tmsh save sys config

That should do it. Sounds like the security team only wants you to use TLSv1.2 🙂

 

Copyright © 2023 Khoros, LLC