Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Disabling TLS v1 and TLS v1.1 Protocol

In reading up on the issue of disabling tls v1/v1.1 I see talk mostly about ciphers. Shouldn't we be disabling the protocol? Is it possible there will be problems in the protocol is enabled but the cipher is disabled? Devcentral has significant information on cipher suites? Is this how we should approach tls, or should we look at the protocol?

With LTM, is there a difference in how this is configured?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There are usually different versions of a cipher for each protocol version.

 1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    AES       SHA     ECDHE_RSA 
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES       SHA     ECDHE_RSA 
 3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES       SHA     ECDHE_RSA 

So disabling a cipher would remove all versions of that cipher. But if you truly want to just disable TLS1 and TLS1.1, you could use a cipher string like this:

DEFAULT:!TLSv1:!TLSv1_1
0
Comments on this Answer
Comment made 3 months ago by The-messenger 359

Thanks Kevin! Question on this process. I disabled TLS v1 with !TLSv1 in the ssl profile I have for Exchange ActiveSync connections. I was very surprised to hear that several people lost the connection in their email app. To prevent the issue from growing I removed the configuration in the ssl profile.

We have an MDM program, we allow the default android email, default ios email app and Boxer. I wouldn't think any of these would need TLS v1.

Clearly there is more than I realize/expect with this.

0
Comment made 3 months ago by Shann_P 358

We added this to some of our Virtual Servers so we could see what was coming in. https://devcentral.f5.com/codeshare/categorize-ssl-traffic-by-version-display-as-graph

You can also make the change on the SSL profile under the Options List section without having to change the Cipher String.

Image Text

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here is an amazing article which explains SSL protocols and ciphers and how to carefully choose them.

https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564?lc=1

I prefer using explicit ciphers along with options

Example:

ltm profile client-ssl clientssl_custom {
    ciphers !SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES
    options { dont-insert-empty-fragments no-ssl no-sslv2 no-sslv3 no-tlsv1 no-tlsv1.1}
}

.

tmm --clientciphers '!SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 1: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
 3: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 6: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 8: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 9: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
10: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
11: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
12:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
15:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
17:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
19:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
0