Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

is TLS Version 1.1 Supported on Big IP

Hello All we have an some Terminal that needs to connect to one of our Front End Boxes, it is going to be using SSL, there appears to be a limitation for the Termnal to be able to connect using TLS 1.1 is this supported on the Big ip ltm either 3900 or 1600 i looked through the Profile ssl client i did not see anything like about ssl 1.1 ...
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
TLS v1.1 is definitely supported on all LTM platforms and software versions. You can capture a tcpdump of the issue and then either use Wireshark with the SSL private key imported or ssldump to decrypt the trace and diagnose the issue. If you need any help capturing or analyzing the traces, you can search on AskF5 for tcpdump and ssldump, or open a case with F5 Support.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hoolio - I see there are options in the SSL profiles for disabling SSLv2, v3, TLSv1, etc...any idea why there isn't one for disabling TLSv1.1? I can't think of a reason you'd want to but I think it not being listed as an option probably contributes to confusion about it being usable.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Sorry, I was being a numpty and was thinking of TLSv1--not TLSv1.1. I couldn't find any docs on support for TLSv1.1 and none of the clients (openssl, curl, etc) I can find support it to try testing. I'd hazard a guess that LTM might not support v1.1. You might try opening a support case with F5 to check on this. If you do, can you reply back here with what you find?

Thanks, Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks guys i was curious why there wasn't any reference to TLS 1.1, so by default if TLS 1.1 is presented to the LTM it will negotiate without the need for any Irule trick... ? ..
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Awesome another good reason to migrate off the CSS 1100 We have, i have not set the environment on the LTM yet i am just in the process of selling the idea to management.. thanks again ..
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
TLS versions 1.1 & 1.2 are not yet supported.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks for confirming Jason. nassahla, you could open a case with F5 Support to find out more on F5's plans to support TLSv1.1 and TLSv1.2 (once the spec is complete).

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I have begun the process i contacted our account rep, i will report back with the outcome... thanks...
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Is there any news regarding TLS 1.1 and 1.2 support? Is it already released? If so, please point me at an article describing how to deny TLS 1.0 and require TLS 1.1.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
TLS 1.2 has been supported since10.2.3.

Release Note: BIG-IP LTM and TMOS version 10.2.3
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

for TLS 1.1, initially we had no plan in supporting it. anyway, i am not sure about right now (after having BEAST).
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Yes, TLS 1.2 is supported as of 10.2.3 and 11.1. I believe TLS 1.1 support is on the roadmap for upcoming releases.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
TLS 1.1 is supported in 11.2.1, possibly earlier
0