Hello, I have a requirement that some of the applications with VIP's in F5 loadbalancer should support TLS 1.2. I thought of creating a SSL profile with cipher list as TLS V1_2. But i am not very sure doing that, because not all calls required TLS 1.2, there might be other calls also which are not supported for TLS 1.2. So what will be the best way in order to provide support to all types of calls using a single SSL profile. Thanks

I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported. What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the DEFAULT Cipher String setting. https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html

Thanks Hannes, It answers my question. My BigIP version is 11.5.3.So every call reaching Bigip should not support TLS 1.2. For the calls which supports TLS lower versions, lower ciphers will get picked up? How exactly this cipher selection works for each request.

That's correct. If you have cURL calls which target the site using TLS1.0, these should work just fine. If your website is publicly accessible, you may validate your supported SSL/TLS versions using this SSL checker: https://www.ssllabs.com/ssltest/

HTTPS calls supporting TLS V 1.2

12 Replies

Hannes_Rapp_162
Nacreous
Oct 18, 2016
I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.

What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the
DEFAULT
Cipher String setting. https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
- Manikanta_26608
  Nimbostratus
  Oct 18, 2016
  Thanks Hannes, It answers my question. My BigIP version is 11.5.3.So every call reaching Bigip should not support TLS 1.2. For the calls which supports TLS lower versions, lower ciphers will get picked up? How exactly this cipher selection works for each request.
- Hannes_Rapp_162
  Nacreous
  Oct 18, 2016
  That's correct. If you have cURL calls which target the site using TLS1.0, these should work just fine. If your website is publicly accessible, you may validate your supported SSL/TLS versions using this SSL checker: https://www.ssllabs.com/ssltest/
- Manikanta_26608
  Nimbostratus
  Oct 18, 2016
  That helps. The handshake simulations, protocols are clearly saying that my BigIP supports all TLS versions for all types of clients. I think it will be good for my requirement. Thank you.
Hannes_Rapp
Nimbostratus
Oct 18, 2016
I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.

What is your BigIP verion? This SOL lists out the SSL/TLS versions which are enabled by the default clientssl profile configurations, or by the
DEFAULT
Cipher String setting. https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
- Manikanta_26608
  Nimbostratus
  Oct 18, 2016
  Thanks Hannes, It answers my question. My BigIP version is 11.5.3.So every call reaching Bigip should not support TLS 1.2. For the calls which supports TLS lower versions, lower ciphers will get picked up? How exactly this cipher selection works for each request.
- Hannes_Rapp
  Nimbostratus
  Oct 18, 2016
  That's correct. If you have cURL calls which target the site using TLS1.0, these should work just fine. If your website is publicly accessible, you may validate your supported SSL/TLS versions using this SSL checker: https://www.ssllabs.com/ssltest/
- Manikanta_26608
  Nimbostratus
  Oct 18, 2016
  That helps. The handshake simulations, protocols are clearly saying that my BigIP supports all TLS versions for all types of clients. I think it will be good for my requirement. Thank you.

Forum Discussion

HTTPS calls supporting TLS V 1.2

12 Replies

Recent Discussions

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Related Content

AppWorld 2024 Call For Speakers open

Multi-port support for HTTP/TCP load balancers in F5 Distributed Cloud (XC)

HTTP auth - Calling external API with parameters

Cipher Suites Supported (12.1.5.3)

WorldTech IT - Who Ya Gonna Call? Scary Hack Story