Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1

So, it’s again time to start worrying about your SSL Labs grade. Coming January 2020, any site still supporting TLSv1 and TLSv1.1 will have their grade capped to B. As we all know, this is unacceptable, so we’ll once again need to take action.

NOOOO!!!!

Fortunately, this is one of the easier things to fix on your F5 Big-IPs. The procedure is exactly the same as in my previous instalments of this guide, but we’re going to need a bit more options this time.

Before you start doing these modifications, please keep in mind that the following changes will break functionality for your users if they use a browser that doesn’t support TLSv1.2. Fortunately, these are mostly Windows XP clients running really old browsers, but it’s something you’ll need to be mindful of.

We’re going to modify our SSL Client Profile, so head over to Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.

Enable the Advanced settings, and select the Options List as Custom for the profile. If you already followed my guide on how to fix DH parameter reuse, then your Enabled Options should already look like this.

Find the following options under Available Options, select them and click Enable. It should jump up to the Enabled Options list.

  • No SSL
  • No SSLv2
  • No SSLv3
  • No TLSv1
  • No TLSv1.1

Save your profile, and we should now only support TLSv1.2! I’m trying to find out if there’s any way to support TLSv1.3 yet on Big-IP systems, so stay tuned for that.

Now we’re back to normal, and shouldn’t loose our Grade A come January.

Also check out the other instalments of this series:

Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains
Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites
Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse



Categories: Networks, Tech

Tags: , , , , , , ,

6 replies

Trackbacks

  1. Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse – Grumpy Techie
  2. Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites – Grumpy Techie
  3. Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains – Grumpy Techie
  4. Fixing SSL Labs Grade on F5 Big-IP – Enabling TLSv1.3 – Grumpy Techie
  5. Fixing SSL Labs Grade on F5 Big-IP – Custom Cipher Groups – Grumpy Techie
  6. Fixing SSL Labs Grade on F5 Big-IP – Enabling HSTS – Grumpy Techie

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: