Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Enforce TLS1.0 & TLS1.1 to TLS1.2

Hi Team,

We have a scenario on our set up where we are accepting only TLS 1.2 connections to the applications and denies all other TLS.This we are doing via irule.

However Is there a way we can enforce any of the client connections with are coming as TLS1.0 or TLS1.2 to TLS1.2 on the F5 side with any irule?

As like we uses the redirect can we be able to do a TLS versions redirect ? So if someone comes with TLS1 irule will pick it up and force or redirect to TLS1.2 ?

I have tried couple of attempts with no luck - Any expert inputs will be of great help.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

I dont think that you need iRule to achieve that. You can simply change the ciphers in your clientssl profile.

Example: Use "TLSv1_2" for your clientssl cipher and you will force F5 to negotiate with the clients only with TLSv1.2. In that way you don`t need to redirect anything :)

If I understood you correctly this will work for you.

Regards

0
Comments on this Answer
Comment made 27-Jul-2017 by Jibinpv 64

Hi llian - Many thanks for the inputs. However If I understood correctly ,this approach will potentially drop any connection coming with TLS1 & TLS1.1 and we are forcing F5 to negotiate to only TLS1.2.

My actual thought was not to drop any connection if its TLS1 or TLS1.1 ,where just want to have that redirected or enforced to TLS1.2 irrespective of any lover versions of 1.2.

Thus by from a client connection perspective they will not be having any difference of the versions ,but on the same we from side we are meeting the requirement of TLS1.2.

0
Comment made 27-Jul-2017 by Ilian Ivanov 517

The connections will not be droped, but the client will be forced to negotiate on TLSv1.2, if the client supports TLSv1.2 of courese. If the client doesn`t support TLSv1.2 the connection will fail. In other words you will not have any other connections than TLSv1.2.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I agree Ilian. I think it's easier to make it filtering on the sslclient profile. Take a look at this url:

https://support.f5.com/csp/article/K15194

0