How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x

Question

Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side).
How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation?
The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1
tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1'

ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
0:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES     SHA     EDH/RSA
1:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES     SHA     EDH/RSA
2:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
3:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES     SHA     EDH/RSA
4:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES     SHA     EDH/RSA
5:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA

The client browser is Safari 11.1 (the latest version at time of writing).

nathe · Answer

Ghislaine, have you seen this solution Configure the cipher strength of SSL profiles&nbsp;
It suggests adding @strength at the end of the cipher string.&nbsp;
Hope this helps&nbsp;
N&nbsp;

stephanmanthey · Answer

Hi Ghislain,
if it´s generally just about ordering by protocol preference, the following cipher string will do it: DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1.
Please check via command line: 
tmm --clientciphers 'DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1'
The "+" prefix lowers the preference of the specifier (applies to handshake-methods, bulk-crypto and message-digest algorithms as well). 
Back to your specific case it would be the following: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1 
Verfication: 
tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1'

ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
 1:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
 2:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
 3:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
 4:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
 5:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA

In a previous post ("TMOS SSL TLS Cipher Cheat Sheet") I tried to summarize the different approaches for cipher specification including aliases and keywords. 
Cheers, Stephan

Forum Discussion

How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x

2 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

SSL protocol mismatch

BIG-IP BGP Routing Protocol Configuration And Use Cases

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Disabling Weak Ciphers