In my last post on F5 load-balancers, we disabled TLS v1 and v1.1 as a preemptive measure as SSL Labs is going to start capping your grade to B if you’re caught supporting these protocols after January 2020. In this tutorial we’re going to go one step further and enable TLS v1.3, further future proofing our F5 deployment.
Before We Begin
Note that TLSv1.3 is only supported on Big-IP systems running software version 14.x, 15.x or newer. Furthermore, the support in version 14 is only for the experimental standard, while version 15 onwards supports the final version of TLSv1.3. Therefore my recommendation is to upgrade you F5 Big-IP to version 15 before going forward.
Here’s how our site is looking on SSL Labs before the change:
Changing Cipher Groups
Starting with TLSv1.3, cipher strings are no longer supported, which is an issue if you followed my guide for disabling weak cipher suites a while back as that guide uses a cipher string to disable ciphers that are weak enough to affect your grade on SSL Labs.
Fortunately, the F5 comes with a built in cipher group called f5-secure that does approximately the same thing, i.e. disabling overly weak ciphers that SSL Labs takes issue with. At the end of the guide, I’ll show you how to change over to this setting. But, since this group isn’t perfect, the next instalment of this guide will be on how to create your own cipher groups. So, either use the built-in cipher group, or hold of on enabling TLSv1.3 for a week until I get the next guide published.
TLSv1.3 is not enabled by default on Big-IP systems yet as of version 14 and 15. This means that we’ll need to explicitly enable it in our SSL client profile. The method should be quite familiar to you by now, as it’s just another option for the SSL profile. However, F5 has been straight forward with this, and introduced the option No TLSv1.3 which is enabled by default. So this time we’re going to disable an option instead of disabling it.
Head over to Local Traffic -> Profiles -> SSL -> Client and select the Profile you’d like to edit.
Enable the Advanced settings, and select the Options List as Custom for the profile. If you already followed my guide on how to disable TLSv1 and TLSv1.1, then your Enabled Options should already look like this:
As you can see, the No TLSv1.3 option is listed under enabled options. Select it and click Disable
However, we’re not done yet, as F5 doesn’t support TLSv1.3 when a cipher string is in use, so scroll up to Ciphers and select Cipher Group and then f5-secure from the drop-down menu.
After that, select update at the end of the page to update your SSL profile.
Checking our work
Now we can go back to SSL Labs, and check our grade again, and you should find TLSv1.3 under Protocols
Also check out the other instalments of this series:
Fixing SSL Labs Grade on F5 Big-IP – Certificate Chains
Fixing SSL Labs Grade on F5 Big-IP – Weak Cipher Suites
Fixing SSL Labs Grade on F5 Big-IP – ECDH public server param reuse
Fixing SSL Labs Grade on F5 Big-IP – Disabling TLSv1 and TLSv1.1