Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Hello All we have an some Terminal that needs to connect to one of our Front End Boxes, it is going to be using SSL, there appears to be a limitation for the Termnal to be able to connect using TLS 1.1 is this supported on the Big ip ltm either 3900 or 1600 i looked through the Profile ssl client i did not see anything like about ssl 1.1 ...

12 Answer(s):

TLS v1.1 is definitely supported on all LTM platforms and software versions. You can capture a tcpdump of the issue and then either use Wireshark with the SSL private key imported or ssldump to decrypt the trace and diagnose the issue. If you need any help capturing or analyzing the traces, you can search on AskF5 for tcpdump and ssldump, or open a case with F5 Support.

Aaron
Hoolio - I see there are options in the SSL profiles for disabling SSLv2, v3, TLSv1, etc...any idea why there isn't one for disabling TLSv1.1? I can't think of a reason you'd want to but I think it not being listed as an option probably contributes to confusion about it being usable.
Sorry, I was being a numpty and was thinking of TLSv1--not TLSv1.1. I couldn't find any docs on support for TLSv1.1 and none of the clients (openssl, curl, etc) I can find support it to try testing. I'd hazard a guess that LTM might not support v1.1. You might try opening a support case with F5 to check on this. If you do, can you reply back here with what you find?

Thanks, Aaron
Thanks guys i was curious why there wasn't any reference to TLS 1.1, so by default if TLS 1.1 is presented to the LTM it will negotiate without the need for any Irule trick... ? ..
Awesome another good reason to migrate off the CSS 1100 We have, i have not set the environment on the LTM yet i am just in the process of selling the idea to management.. thanks again ..
TLS versions 1.1 & 1.2 are not yet supported.
Thanks for confirming Jason. nassahla, you could open a case with F5 Support to find out more on F5's plans to support TLSv1.1 and TLSv1.2 (once the spec is complete).

Aaron
I have begun the process i contacted our account rep, i will report back with the outcome... thanks...
Is there any news regarding TLS 1.1 and 1.2 support? Is it already released? If so, please point me at an article describing how to deny TLS 1.0 and require TLS 1.1.
TLS 1.2 has been supported since10.2.3.

Release Note: BIG-IP LTM and TMOS version 10.2.3
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes-LTM-10-2-3.html

for TLS 1.1, initially we had no plan in supporting it. anyway, i am not sure about right now (after having BEAST).
Yes, TLS 1.2 is supported as of 10.2.3 and 11.1. I believe TLS 1.1 support is on the roadmap for upcoming releases.

Aaron
TLS 1.1 is supported in 11.2.1, possibly earlier

Your answer:

You must be logged in to reply. You can login here.