Forum Discussion
How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x
Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side).
How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation?
The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1
tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
The client browser is Safari 11.1 (the latest version at time of writing).
- natheCirrocumulus
Ghislaine, have you seen this solution Configure the cipher strength of SSL profiles
It suggests adding @strength at the end of the cipher string.
Hope this helps
N
Hi Ghislain,
if it´s generally just about ordering by protocol preference, the following cipher string will do it:
.DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1
Please check via command line:
tmm --clientciphers 'DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1'
The "
" prefix lowers the preference of the specifier (applies to handshake-methods, bulk-crypto and message-digest algorithms as well).+
Back to your specific case it would be the following:
DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1
Verfication:
tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 1: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
In a previous post ("TMOS SSL TLS Cipher Cheat Sheet") I tried to summarize the different approaches for cipher specification including aliases and keywords.
Cheers, Stephan
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com