How to turn off TLS1.0 – and only allow TLS1.1 and TLS1.2 on LTM 2000s

Question

When we implement the new F5 load balancers and proxies, we have to turn off TLS1.0 – we will only allow TLS1.1 and TLS1.2&nbsp;

hannes_rapp · Answer

Create a new clientssl profile where you specify a custom cipher-string, keep the other settings as default. You can name this as 'profile_clientssl_base'.
If all you want is to disable TLSv1.0, and keep the rest as default, you can use DEFAULT:!TLSv1 as your custom string. When done, this profile can be reused as your Parent Profile for all the other clientssl profiles you create in the future.
If your concern is with the upcoming PCI DSS 3.1 requirements (will be enforced in June 2016), have a look at here https://devcentral.f5.com/questions/pci-cipher-set. You should check out the second answer which is not User Accepted, if you don't want to disable more cipher suites than required.

iaine · Answer

This thread goes into detail on this&nbsp;
If you are unsure about changing the ciphers in the ssl profile then if you look in the Options list in the profile then there is an option No TLSv1 that you can use if you prefer&nbsp;

tatmotiv · Answer

Also, have a look at this document which is totally recommended reading:
https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf&nbsp;

Forum Discussion

How to turn off TLS1.0 – and only allow TLS1.1 and TLS1.2 on LTM 2000s

3 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

Enableing TLS1.2

Redirect TLS1.0 to TLS1.2

Enforce TLS1.0 & TLS1.1 to TLS1.2

Support TLS1.3 and TLS1.2 protocols

Ciphers for restricting traffic to TLS1.2