Forum Discussion

meenny_60187's avatar
meenny_60187
Icon for Nimbostratus rankNimbostratus
Mar 15, 2016

Disable TLS 1.2 from Cipher Suite

I have a SSL client using the DEFAULT cipher suite. We are currently running into issues with TLS 1.2 connections. As a temporary work around and for testing, I would like to disable TLS 1.2 as an option for making connections. Does anyone know how I might go about doing that? I've been looking for the correct cipher string to use to not use TLS 1.2, but I am having a tough time. I have gone through SOL13171, but it doesn't specificy how I would disable TLS 1.2 connections. Any help would be helpful. Thanks.

 

application delivery
LTM
tls v1.2

6 Replies

Sort By
  • theCook's avatar
    theCook
    Icon for Employee rankEmployee
    Mar 15, 2016

    SOL15194 may be more relevant here. It doesn't speak to your issue directly but it speaks to usable keywords such as TLSv1_2 which you should be able to negate. For example: "DEFAULT:!TLSv1_2"

     

    -Tim

     

  • theCook_89714's avatar
    theCook_89714
    Historic F5 Account
    Mar 15, 2016

    SOL15194 may be more relevant here. It doesn't speak to your issue directly but it speaks to usable keywords such as TLSv1_2 which you should be able to negate. For example: "DEFAULT:!TLSv1_2"

     

    -Tim

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Mar 16, 2016

    You probably meant to disable the TLS 1.2 protocol.

     

    Create a new SSL profile, client-side or server-side that is appropriate to your situation, and in the "Options List", select "No TLSv1.2", click on "Enable" and then save ("Update") the configuration.

     

    Apply the new SSL profile to your virtual server.

     

    I hope this is what you want and need to do.

     

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Mar 17, 2016

    There are other option in f5 to disable TLSv1.2(11.x Series) through Cipher list. TLSv1.1 is not included in 10.2.4.

    11.x series(Option 1)

     DEFAULT:!TLSv1.2

    Option 2

    Create a new SSL profile, client-side or server-side that is appropriate to your situation, and in the "Options List", select "No TLSv1.2", click on "Enable" and then save ("Update") the configuration & attach profile to VIP.