Issue on disabling TLS 1.0 / TLS 1.1

Question

Hello,&nbsp;
We have a problem with an LTM (Local Trafic Manager) when we turn off TLS 1.0 and 1.1. Indeed when protocols are disabled in SSL profiles, the F5 does not return any error to the client. We would like to disable these protocols and returning a html code to our clients when he goes on the website.&nbsp;
We have prepared an irule that looks like this:&nbsp;
when HTTP_REQUEST {&nbsp;
if {[SSL :: cipher version]! = "TLSv1.2"}&nbsp;
    {HTTP :: respond 503 content {&nbsp;
        &nbsp;
        
            my html&nbsp;
        &nbsp;
            }&nbsp;
    }&nbsp;
This irule works if we don’t disable both protocols directly in the SSL profile. On the other hand, when this is the case, the F5 does not even read the irule.
I think it is the trigger condition of the irule that is wrong, when the handshake fail, there is no HTTP request.&nbsp;
We are looking for a solution to setup an irule that would return a html code or that makes a redirection to another url in case of SSL handshake failure.&nbsp;
Someone can help me ?&nbsp;

lee_sutcliffe · Answer

The problem you have is that SSL negotiation happens prior to HTTP_REQUEST. 
So if you have disabled TLS 1.0 and the client only uses TLS 1.0, the session will never be established, it will be terminated before you reach the HTTP request event... hence being unable to send an HTTP::response command. &nbsp;
It is by design that you do not receive an error in this instance. 
You would see in the SSL handshake that the version is not supported but this is not obvious to your users unless they are capturing the request using Wireshark for example. &nbsp;
What is your actual requirement? &nbsp;

surgeon · Answer

If you use SSL, browser expect to finish ssl handshake 1st. You will not be able to receive html code if ssl handshake fails. You need to get ssl handshake established and only then you can send and receive html.&nbsp;
This is just TCP/IP stack rules. If lower level protocols fails, upper level will not work.
What you can do, you can wait until ssl handshake established and then terminate it if ssl version is lower then tls 1.2. You can implement it via iRule&nbsp;

mike_62127 · Answer

this iRule works well for what you are asking.
    if { [SSL::cipher version] ne "TLSv1.2" } {
    HTTP::respond 200 content "Your browser must support TLSv1.2"

mike_62127 · Answer

I should have added that you need to keep TLSv 1.0 &amp; 1.1 enabled in the SSL Profile.
this will terminate any non TLSv 1.2 connections at the LTM and send the custom error message to the client.&nbsp;

surgeon · Answer

But be aware that this solution requires tls1.0 and tls1.1 to be enabled and may impact your rank on ssllabs. You need to decide which option to use.&nbsp;
See Lee Sutcliffe's replies earlier&nbsp;

Forum Discussion

Issue on disabling TLS 1.0 / TLS 1.1

5 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

How to disable only TLS v1 & TLS v1.1 on specific virtual server

Enable TLS 1.3 and Disable DH group

F5 CIS, TLS Extensions, and troubleshooting

Decrypting TLS traffic on BIG-IP

What is Mutual TLS (mTLS)?