ciphers applied to client SSL profile for allow only tls 1.2 not working?

Can you login to the LTM and run the below command & share to us, Is your applied CIPHER reflecting in there ?

tmsh  list ltm profile client-ssl  ciphers options

If you wanna make the change, the right way to stop the Tls1.0 & Tls1.1 protocol is to control it in the options parameter,

tmsh  modify ltm profile client-ssl  options { dont-insert-empty-fragments no-sslv2 no-sslv3 no-tlsv1 no-tlsv1.1 }

IRONMAN,

I would look to perform a tcpdump/ssldump to see what's going on, see

Overview of packet tracing with the ssldump utility

Also, if you use Putty to connect to your BIG-IP and perform the following command

tmm --clientciphers 'DEFAULT:!SSLv2:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4-SHA:AES128-SHA:AES256-SHA:!DES-CBC3-SHA:!TLSv1:!TLSv1_1'

it will outline which ciphers are being presented by the clientssl profile.

Hope this helps,

N

Got solution from one of the team, but not sure what it does, please any one explain

 

clientssl cert default.crt key default.key chain none ciphers DEFAULT:!SSLv2:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4-SHA:AES128-SHA:AES256-SHA:!DES-CBC3-SHA:!TLSv1:!TLSv1_1:!RSA