For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tech's avatar
Tech
Icon for Nimbostratus rankNimbostratus
Apr 26, 2024

enable tls1.2 on management interface on F5 ltm running version 10.x

Hi Experts ,

Legacy F5 is having below image and we would like to enable tls1.2 for httpd for management interface so that we can access Web using new browsers.

Sys::Version
Main Package
  Product  BIG-IP
  Version  10.2.4
  Build    817.0
  Edition  Hotfix HF7
  Date     Mon May 20 15:08:56 PDT 2013

We are folllowing stpes mentioned in the "https://my.f5.com/manage/s/article/K40232071" , unfortunately this is for 11.x and above versions.

We are getting below error while changing the ssl to tls1.2.

 

(Active)(tmos)# modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'
01070920:3: Application error for confpp: Syntax OK
Error in cipher list
25658:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:836:
'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1' invalid.
*************************************************************
Apr 26 13:17:23 CEGP001.IN.com confpp[25610]: syntax check command FAILURE for unix_config_httpd returned: '256'
[  OK  ]ing httpd: [  OK  ]

 

your valuable suggestion helps us to fix GUI issues.

 

from the Browser we are getting , 

The connection for this site is not secure

10.70.89.37 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

 

 

 

 

application delivery

2 Replies

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Apr 26, 2024

    First I would run the following command to see what the configuration is.

    list sys httpd

    Next when you end the following I would use the question mark to see what configuration options are available to you. Sadly I do not have access to an F5 appliance with this code version so I cannot provide the specific command. Essentially you need to create the appropriate cipher suite command to do what you want and that changes a bit from version to version.

    modify sys httpd ssl-ciphersuite

    • Tech's avatar
      Tech
      Icon for Nimbostratus rankNimbostratus
      Apr 26, 2024

      Hi Paulius ,

       

      Thank you for your reply.

       

      list sys httpd
      sys httpd {
          allow { 10.41.32.0/255.255.224.0 }
          auth-pam-idle-timeout 36000
          include "
      <LocationMatch \";\">
          Redirect 404 /
      </LocationMatch>
      <LocationMatch \"hsqldb\">
          Redirect 404 /
      </LocationMatch>
          "
          ssl-ciphersuite ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
      }

       

      We have tried below commands but no luck as these commands are for 11.x and above .

       

      To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command:
      modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4-SHA:!SSLv2:-TLSv1:-SSLv3:-TLSv1.1'

      Alternatively, if you can restrict to only TLS 1.2 cipher, then type the following command instead:
      modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1'