Disable TLS 1.0 and 1.1 protocol on VIPS, Only TLS 1.2 should be on.

Question

Suppose we have to disable TLS 1.0 and 1.1 protocol on a VIP. Only TLS 1.2 should be enabled.&nbsp;
Consider client-ssl profile is having the existing ciphers as :&nbsp;
ciphers DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!MD5:!RC4-SHA:!3DES
Will modifying cipher to  "TLSv1_2" fulfill the requirement.&nbsp;

jaikumar_f5 · Accepted Answer

Here,tmsh create /ltm profile client-ssl cssl_tls12_only ciphers TLSv1_2Reference&nbsp;

jg · Answer

To disable the protocol:&nbsp;
(On v11.6.1)&nbsp;

Go to Local Traffic -&gt; Profiles -&gt; SSL -&gt; Client and click on the relevant profile.&nbsp;

From "Options List": Select "No TLSv1.1" and enable it.&nbsp;

I think support of v1.0 is already discontinued in this version.&nbsp;

maneesh_72711 · Answer

What version your LTM is on ? Modifying the SSL Profile (Client/Server) would sort this.&nbsp;

nathe · Answer

AJF5,&nbsp;
See configure clientssl profile for tls1.2&nbsp;
Hope this helps,&nbsp;
N&nbsp;

ajf5 · Answer

It is 11.3. And yes you are right about modiying the SSL profile. But my question was if I am changing the current cipher in client-ssl profile "DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!MD5:!RC4-SHA:!3DES" with "TLSv1_2". Will that work as we want only TLSv1.2 to be enabled.

Forum Discussion

Disable TLS 1.0 and 1.1 protocol on VIPS, Only TLS 1.2 should be on.

5 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

SSL protocol mismatch

BIG-IP BGP Routing Protocol Configuration And Use Cases

Proxy Protocol Initiator

Proxy Protocol Receiver

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet