So, it’s again time to start worrying about your SSL Labs grade. Coming January 2020, any site still supporting TLSv1 and TLSv1.1 will have their grade capped to B. As we all know, this is unacceptable, so we’ll once again need to take action.
Fortunately, this is one of the easier things to fix on your F5 Big-IPs. The procedure is exactly the same as in my previous instalments of this guide, but we’re going to need a bit more options this time.
Before you start doing these modifications, please keep in mind that the following changes will break functionality for your users if they use a browser that doesn’t support TLSv1.2. Fortunately, these are mostly Windows XP clients running really old browsers, but it’s something you’ll need to be mindful of.
We’re going to modify our SSL Client Profile, so head over to Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.
Enable the Advanced settings, and select the Options List as Custom for the profile. If you already followed my guide on how to fix DH parameter reuse, then your Enabled Options should already look like this.
Find the following options under Available Options, select them and click Enable. It should jump up to the Enabled Options list.
- No SSL
- No SSLv2
- No SSLv3
- No TLSv1
- No TLSv1.1
Save your profile, and we should now only support TLSv1.2! I’m trying to find out if there’s any way to support TLSv1.3 yet on Big-IP systems, so stay tuned for that.
Also check out the other instalments of this series:
Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains
Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites
Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse
Leave a Reply