v11.3 v11.4.1 server ssl profile change of behaviour? TLS1.2 used by default

Question

Hi
using the default server SSL profile in v11.3 (hf8), we see that the bigip uses tls1.0 towards the server. After an upgrade to 11.4.1 (hf4), we see that tls 1.2 is used (rejected by server in our case).&nbsp;

I haven't found any document on AskF5 listing such change of behaviour, anyone could point me to some if any? Or a document that list the default behaviour (no cipher but tls version).&nbsp;

We do not want to change the server ssl profile because we use APM and there are several backend servers involved. How can I change/force the TLS version serverside in an iRule?&nbsp;

Thanks. Alex&nbsp;

dan_l1 · Answer

TLS 1.0 was/is vulnerable to BEAST, pretty sure that's why it defaults to 1.2 in newer code levels.. see: SOL13400&nbsp;

sulaiman_85782 · Answer

We experienced a similar issue. We created a new Server Side SSL profile, where we enabled the No TLSv1.1 and No TLSv1.2 options.&nbsp;
Once we enabled this on the ServerSide SSL Profile our apps started working.&nbsp;

cory_50405 · Answer

You can change the cipher string in your server SSL profile like this, as Sulaiman has done:&nbsp;
DEFAULT:!TLSv1_2:!TLSv1_1&nbsp;

Forum Discussion

v11.3 > v11.4.1 server ssl profile change of behaviour? TLS1.2 used by default

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

Server Profile SNI

Update your DevCentral user profile

DoS Profiles

LTM Policy - Is there a way to create policy with non Case Sensitive behaviour

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python