Ghislain_Pellet
May 17, 2018Nimbostratus
How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x
Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side).
How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation?
The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1
tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
The client browser is Safari 11.1 (the latest version at time of writing).