Forum Discussion

RSEDD_217334's avatar
RSEDD_217334
Icon for Nimbostratus rankNimbostratus
Jan 19, 2016

need to disable TLSv1.0 support on GTM 4000 running 11.5.3

I have a security requirement to disable SSLv3, RC4, and TLSv1.0 on my GTM 4000 device. I have the SSLv3 and RC4 requirements met, but in testing I can still access the web console with a browser that has only TLS1.0 enabled.

 

This is what I have placed in the Local Traffic > Profiles > SSL > Server & Client cipher fields: DEFAULT:!SSLv3:!TLSv1:!RC4

 

Do I have the wrong setting? Or have I missed another setting that needs to work with this one?

 

LTM
security

3 Replies

Sort By
  • andrew_C1's avatar
    andrew_C1
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016

    There is both the cipher list and a protocol/extension list. SSLv3 is disabled by default in that list. You will need to add TLSv1.0 to it. its called Options List under the ssl profile. if you scroll down you will find disable TLSv1.0, TLSv1.1 etc

     

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Jan 20, 2016

    If I read your question right you are wanting to disable TLSv1 to the device's management interface itself, correct? If that is the case, you can not disable TLSv1 just yet. While technically you could by altering the cipher string with 

    tmsh modify sys httpd ssl-ciphersuite
    , this causes issues with iControl and possibly iQuery since the version of modSSL currently doesn't support TLSv1.1+. I found this myself when we tried to disable TLSv1.

    Luckily in 12.0 HF1 that has now been pacthed and you can change the allowed SSL version to disable TLSv1 appropriately using 

    tmsh modify sys httpd ssl-protocol 'all -SSLv2 -SSLv3 -TLSv1'
    .

  • RSEDD_217334's avatar
    RSEDD_217334
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2016

    Thank you both. My TLSv1.0 tests are failing now. Just as I need them to.