Forum Discussion

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1

We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated that they're sending a list of ciphers that they support when they initially connect (TLSv1, 1.1, and 1.2). Even though they're supporting 1.2 and we support 1.2 their connection is still using 1.0. Looking at the tmm clientciphers DEFAULT command i see that tls1.0 is ordered above 1.1 and 1.2. Is there a way to reorder this or priortize 1.2 and 1.1 over 1.0?

 

  • Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

    I.e:

    DEFAULT:+TLSv1

    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.
    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?
  • Append +TLSv1 to your clientssl Cipher configuration. This will move all TLSv1.0 cipher suite combinations to the end of the list (least preferred).

    I.e:

    DEFAULT:+TLSv1

    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      Awesome thanks! Is this documented somewhere? I looked and couldn't find an article on this.
    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      So after I made the change you suggested to the clientssl default cert on the F5 I executed the tmm --clientcipher DEFAULT command and got the following: 0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA Line 2 is the most important in this output, tlsv1 still has priority over tls1.1 or 1.2. Thoughts?
  • I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

     tmm --clientciphers 'DEFAULT:+TLSv1'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
     1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
     2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
     3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
     4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
     5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
     6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
     7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
     8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
     9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
    10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
    11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
    12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
    13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
    14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
    15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
    16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
    17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
    18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
    19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
    20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
    21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
    22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
    23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
    24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
    25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
    26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
    27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
    
    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.
  • I'm not sure what else you have configured in your cipher string, or in the clientssl profile. Probably another option takes priority (i.e sort by bit strength or speed?). Regardless, this option alone clearly works as intended (using BigIP v11.5.4 in this sample)

     tmm --clientciphers 'DEFAULT:+TLSv1'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
     1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
     2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
     3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
     4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
     5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
     6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
     7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
     8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
     9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
    10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
    11:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
    12:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
    13: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
    14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
    15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
    16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
    17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
    18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
    19: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
    20: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
    21:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
    22:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
    23:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
    24:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
    25: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
    26: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
    27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
    
    • justin_westove1's avatar
      justin_westove1
      Icon for Nimbostratus rankNimbostratus
      Ok i didn't type that command to verify, i typed just "tmm --clientcipher DEFAULT"...you're right, that does look to have taken care of it.