Enforce TLS1.0 & TLS1.1 to TLS1.2

Question

Hi Team,&nbsp;
We have a scenario on our set up where we are accepting only TLS 1.2 connections to the applications and denies all other TLS.This we are doing via irule.&nbsp;
However Is there a way we can enforce any of the client connections with are coming as TLS1.0 or TLS1.2 to TLS1.2 on the F5 side with any irule?&nbsp;
As like we uses the redirect can we be able to do a TLS versions redirect ?
So if someone comes with TLS1 irule will pick it up and force or redirect to TLS1.2 ?&nbsp;
I have tried couple of attempts with no luck - Any expert inputs will be of great help.&nbsp;

ilian_ivanov · Answer

Hello,&nbsp;
I dont think that you need iRule to achieve that. You can simply change the ciphers in your clientssl profile.&nbsp;
Example: Use "TLSv1_2" for your clientssl cipher and you will force F5 to negotiate with the clients only with TLSv1.2. In that way you don`t need to redirect anything :)&nbsp;
If I understood you correctly this will work for you.&nbsp;
Regards&nbsp;

pponte · Answer

I agree Ilian.
I think it's easier to make it filtering on the sslclient profile.
Take a look at this url:&nbsp;
https://support.f5.com/csp/article/K15194&nbsp;

Forum Discussion

Enforce TLS1.0 & TLS1.1 to TLS1.2

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

BoT Defense Profile, Signature Enforcement

Enforce RFC Compliance option in http profile

Enforce Server Cipher proposal in preferred order

export "ready to be enforced" signature list

Enforcing a Single Connection Max to Pool Members