Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

need to disable TLSv1.0 support on GTM 4000 running 11.5.3

I have a security requirement to disable SSLv3, RC4, and TLSv1.0 on my GTM 4000 device. I have the SSLv3 and RC4 requirements met, but in testing I can still access the web console with a browser that has only TLS1.0 enabled.

This is what I have placed in the Local Traffic > Profiles > SSL > Server & Client cipher fields: DEFAULT:!SSLv3:!TLSv1:!RC4

Do I have the wrong setting? Or have I missed another setting that needs to work with this one?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If I read your question right you are wanting to disable TLSv1 to the device's management interface itself, correct? If that is the case, you can not disable TLSv1 just yet. While technically you could by altering the cipher string with tmsh modify sys httpd ssl-ciphersuite, this causes issues with iControl and possibly iQuery since the version of modSSL currently doesn't support TLSv1.1+. I found this myself when we tried to disable TLSv1.

Luckily in 12.0 HF1 that has now been pacthed and you can change the allowed SSL version to disable TLSv1 appropriately using tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1'.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There is both the cipher list and a protocol/extension list. SSLv3 is disabled by default in that list. You will need to add TLSv1.0 to it. its called Options List under the ssl profile. if you scroll down you will find disable TLSv1.0, TLSv1.1 etc

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you both. My TLSv1.0 tests are failing now. Just as I need them to.

0