ssl profiles
2 TopicsHow to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x
Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side). How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation? The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1 tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA The client browser is Safari 11.1 (the latest version at time of writing).794Views0likes2CommentsStrategy for updating large amount of SSL profiles associated with a single virtual server
I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. I discovered that I'm unable to update a single profile that's applied to a virtual server that has others with a (then) mismatched security policy. The support article from F5 says that I will have to remove all of the client SSL profiles from the server, update them all, and then re-add them all back. (https://support.f5.com/csp/article/K04316654) Is it possible that something like this could be scripted so that 1) I can reduce the amount of hand-work editing each of these individual profiles and 2) more importantly reduce the maintenance window that I'll inevitably need to schedule as removing the profiles will cause an interruption in my production web traffic. Or any other angles to this that I'm not seeing that might make this a smoother adjustment?459Views0likes1Comment