Forum Discussion

Ghislain_Pellet's avatar
Ghislain_Pellet
Icon for Nimbostratus rankNimbostratus
May 17, 2018

How to set top priority for TLS 1.2 protocol over TLS 1.0 for client ciphers in BIG-IP v11.6.x

Problem: The F5 (version 11.6.x) establishes a TLS 1.0 connection for a client browser even if protocols TLS 1.2 and TLS 1.1 are part of the supported ciphers on both sides (client browser and F5 client-side).

How can I force the F5 to use the highest protocol available? How can I reorder the ciphers/protocols to put TLS 1.2 at the top of the protocol negotiation mechanism? How does the F5 perform the TLS protocol negotiation?

The cipher string: DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1

tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:!DTLSv1'

      ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
0:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES     SHA     EDH/RSA
1:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES     SHA     EDH/RSA
2:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES     SHA     EDH/RSA
3:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES     SHA     EDH/RSA
4:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES     SHA     EDH/RSA
5:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA

The client browser is Safari 11.1 (the latest version at time of writing).

  • Hi Ghislain,

    if it´s generally just about ordering by protocol preference, the following cipher string will do it:
    DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1
    .

    Please check via command line:

    tmm --clientciphers 'DEFAULT:+TLSv1_1:+TLSv1:+DTLSv1'

    The "

    +
    " prefix lowers the preference of the specifier (applies to handshake-methods, bulk-crypto and message-digest algorithms as well).

    Back to your specific case it would be the following:

    DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1

    Verfication:

    tmm --clientciphers 'DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:!SSLv3:+TLSv1_1:+TLSv1:!DTLSv1' 
    
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
     1:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
     2:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
     3:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
     4:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
     5:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA
    

    In a previous post ("TMOS SSL TLS Cipher Cheat Sheet") I tried to summarize the different approaches for cipher specification including aliases and keywords.

    Cheers, Stephan