How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x
Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side). How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation? The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1 tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA The client browser is Safari 11.1 (the latest version at time of writing).
The best ciphersuite
Hi We host several virtual servers on our LTM and assign SSL profiles to them with certain ciphersuites, I wish to improve them. My question is, can anyone suggest an appropriate cipher suite to use which remediates the below vulnerabilities and gives us a good grade on quallys: BEAST Attack POODLE (sslv3) POODLE (TLS) Avoiding RC4 Thanks.
Exact syntax for SSL ciphers
Hi, Trying to help a coworker with an SSL Client profile request with custom ciphers. So far I have been able to see the ciphers supported on F5 but not the exact syntax when you configure them. I checked the TMSH manual and did some searching on KB but all i find are strengths of ciphers and so on - nothing on the way the ciphers have to be written (i.e : TLS1.2 is TLSv_1.2) Apologies in advance if I missed something obvious.
ECDSA Cipher help on LTM
Hello f5 experts, I am trying to add below cipher to a SSL profile but the customer is not able to see it on SSLlabs, I checked few solutions and tried adding it but the ECDSA part is missing. Can someone please help me enable it? f5 version we use is - 11.5.5 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ Thanks, RRegarding cipher negotiation for LTM
Hi, Needed suggestion regarding cipher negotiation between LTM and server. As per my understanding when client sends hello it sends all cipher value supported. So in case of serverssl profile I am seeing when LTM sends hello to nodes it only sends TLSv1.2 and since our node supports TLSv1 it is dropping the connection. So ideally if client and server are not able to agree to cipher value LTM should switch to TLSv1.1, then TLSv1 and sslv3, since these ciphers are currently enabled on LTM. But why after LTM sends TLSv1.2 and seeing reset from server not fallback to low supported ciphers. Do we need to make any other changes on LTM side? Also if I configure cipher value something like :TLSv1:TLSv1.1:TLSv1.2 will TLSv1 will take preference over v1.1 and v1.2? Thanks.