I have a security requirement to disable SSLv3, RC4, and TLSv1.0 on my GTM 4000 device. I have the SSLv3 and RC4 requirements met, but in testing I can still access the web console with a browser that has only TLS1.0 enabled.
This is what I have placed in the Local Traffic > Profiles > SSL > Server & Client cipher fields:
Do I have the wrong setting? Or have I missed another setting that needs to work with this one?
If I read your question right you are wanting to disable TLSv1 to the device's management interface itself, correct? If that is the case, you can not disable TLSv1 just yet. While technically you could by altering the cipher string with tmsh modify sys httpd ssl-ciphersuite, this causes issues with iControl and possibly iQuery since the version of modSSL currently doesn't support TLSv1.1+. I found this myself when we tried to disable TLSv1.
tmsh modify sys httpd ssl-ciphersuite
Luckily in 12.0 HF1 that has now been pacthed and you can change the allowed SSL version to disable TLSv1 appropriately using tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1'.
tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1'
There is both the cipher list and a protocol/extension list. SSLv3 is disabled by default in that list. You will need to add TLSv1.0 to it. its called Options List under the ssl profile. if you scroll down you will find disable TLSv1.0, TLSv1.1 etc
Thank you both. My TLSv1.0 tests are failing now. Just as I need them to.