Forum Discussion
I'd first direction your attention to Jason Rahm's excellent article on cipher suites:
SSL Profiles Part 4: Cipher Suites
You could, for example, just enter 'TLSv1_2' in the Ciphers field of the client SSL profile to limit all client side communications to protocols that use TLSv1.2. On an 11.3 box it'd be something like this:
[root@bigip1:Active:Standalone] dev tmm --clientciphers 'TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 4 RC4-MD5 128 TLS1.2 Native RC4 MD5 RSA
1: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA
2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
4: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
5: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA
6: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
7: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
8: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA
9: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA
10: 100 EXP1024-RC4-SHA 56 TLS1.2 Native RC4 SHA RSA
11: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA
12: 3 EXP-RC4-MD5 40 TLS1.2 Native RC4 MD5 RSA
13: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA
14: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
But then you'd also (at present day) be significantly limiting WHO could access your application, as many clients still don't support TLSv1.2 in their browsers/OS. You could also implement this in an iRule:
when HTTP_REQUEST {
if { [SSL::cipher version] ne "TLSv1.2" } {
HTTP::respond 200 content "Your browser must support TLSv1.2"
}
}
In this case the user would get a somewhat-friendly error message telling them why they couldn't access the site. In either case, I'd highly recommend, unless under the most controlled environments, that you NOT limit access based on TLSv1.2, but rather re-examine what you're trying to protect and if specific coding practices or even a web app firewall are better options.