Forum Discussion

Manikanta_26608's avatar
Manikanta_26608
Icon for Nimbostratus rankNimbostratus
Oct 17, 2016
Solved

HTTPS calls supporting TLS V 1.2

Hello,   I have a requirement that some of the applications with VIP's in F5 loadbalancer should support TLS 1.2. I thought of creating a SSL profile with cipher list as TLS V1_2. But i am not ver...
application delivery
iRules
LTM
security
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Oct 18, 2016

    I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus

I don't think you need to do anything in particular to enable TLS1.2. It's one of the common features of the SSL/TLS handshake to pick the highest protocol version both parties support. Recent BigIP versions allow (and prefer) TLS1.2 to be used during client-side SSL handshake, unless you have disabled it yourself, or if your software version is badly outdated (10.2.2 and older). While TLS1.2 is given preference, there's nothing that by default would prevent your clients from falling back to older TLS versions if 1.2 is not supported.

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Oct 18, 2016

That's correct. If you have cURL calls which target the site using TLS1.0, these should work just fine. If your website is publicly accessible, you may validate your supported SSL/TLS versions using this SSL checker: https://www.ssllabs.com/ssltest/