CirrostratusIn reading up on the issue of disabling tls v1/v1.1 I see talk mostly about ciphers. Shouldn't we be disabling the protocol? Is it possible there will be problems in the protocol is enabled but the cipher is disabled? Devcentral has significant information on cipher suites? Is this how we should approach tls, or should we look at the protocol?
With LTM, is there a difference in how this is configured?
EmployeeThere are usually different versions of a cipher for each protocol version.
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
So disabling a cipher would remove all versions of that cipher. But if you truly want to just disable TLS1 and TLS1.1, you could use a cipher string like this:
DEFAULT:!TLSv1:!TLSv1_1
AltostratusHere is an amazing article which explains SSL protocols and ciphers and how to carefully choose them.
https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564?lc=1I prefer using explicit ciphers along with options
Example:
ltm profile client-ssl clientssl_custom {
ciphers !SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES
options { dont-insert-empty-fragments no-ssl no-sslv2 no-sslv3 no-tlsv1 no-tlsv1.1}
}
.
tmm --clientciphers '!SSLv3:!TLSv1:!TLSv1_1:!EXPORT:!ADH:!DHE:!RC4:!DES:!3DES:!MD5:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA:RSA+AES-GCM:RSA+AES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
1: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
6: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA
7: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDHE_ECDSA
8: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA
9: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA
10: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDHE_ECDSA
11: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA
12: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
14: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
15: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
16: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
17: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
18: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
19: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA