Forum Discussion

paulpatriot_129's avatar
paulpatriot_129
Icon for Nimbostratus rankNimbostratus
Jan 20, 2017

Restrict BIGIQ to TLSv1.2 Only

I need to restrict BIGIQ to TLSv1.2 only. How do you go about doing this?

 

  • Greetings, Just a quick search through this article:

    https://support.f5.com/csp/article/K17007
    
    K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols
    

    Perhaps try:

    vi /etc/webd/webd.conf
    
    remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    add----> ssl_protocols TLSv1.2;
    
    bigstart restart webd
    bigstart status webd
    

    Kevin

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    Greetings, Just a quick search through this article:

    https://support.f5.com/csp/article/K17007
    
    K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols
    

    Perhaps try:

    vi /etc/webd/webd.conf
    
    remove-> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    add----> ssl_protocols TLSv1.2;
    
    bigstart restart webd
    bigstart status webd
    

    Kevin

    • paulpatriot_129's avatar
      paulpatriot_129
      Icon for Nimbostratus rankNimbostratus

      Thanks I updated the following ssl protocols and the cipher and restarted the webd service.

       

      ssl_protocols TLSv1.2;

       

      ssl_ciphers DHE-RSA-AES128-GCM-SHA256;

       

      restart /sys service webd

       

      That fixed the issue

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account

      Awesome, thanks for the confirmation! The more we know...

       

      Kevin

       

  • Unfortunately even with the change it is still responding to TLS1.1 connections even though disabled.

    [admin@uklprlbiq01:Active:Standalone] ~  cat /etc/webd/webd.conf | grep ssl_protocols
            ssl_protocols TLSv1.2;
    

    Both Qualys and SSLPressure are both reporting this.

    SSLPressure - version: 2013-03-17
    
    [+] Target: X.X.X.X
    [+] Target ip: X.X.X.X
    [+] Loaded 11 SSL2 ciphers
    [+] Loaded 220 SSL3/TLS ciphers
    [+] Using exhaustive tests by blocks.
    [+] Starting tests...
    [+] No response for PCT.
    
    [+] Found: 002F - TLS1.1 -  AES128-SHA
    [+] Found: 0035 - TLS1.1 -  AES256-SHA
    [+] Found: 002F - TLS1.2 -  AES128-SHA
    [+] Found: 0035 - TLS1.2 -  AES256-SHA
    [+] Found: 003D - TLS1.2 -  AES256-SHA256
    [+] Found: 009C - TLS1.2 -  AES128-GCM-SHA256
    [+] Found: 009D - TLS1.2 -  AES256-GCM-SHA384