Wednesday, June 21, 2017

Defining multiple sites with unique TLS protocol on f5 for compliance with TLS

Take a typical  websites hosted on a F5-LTM that using  a wildcard and SNI.

www websites 1 2 3

So let's say that www1 needs to support TLS1.2 only and  www2 and ww3 can support any of the other TLS version. The virtual_server is using   one wildcard.cert for *

How can you achieve this ?  .............The answer is quite simple!

In the F5 client-side profile you will to replicate  3  client-side profile and defined the server_name in the profile.

And within that profile you can enable or disable the  various SSL/TLS version from  Negotiation between the Virtual-Server and client.

So in the end you will have  2 or 3 profiles

1: one for  TLSv1.2 -only and for the server_name
2: one for and with the  server_name and all TLSv1.x
3: or just one more  as * and no server_name defined

Take a look at these client_side profiles

Local Traffc > Profile  >  SSL client

Local Traffc > Profile  >  SSL client and

 Than just test using curl and select the TLS version.


curl --tlsv1.0
curl --tlsv1.1
curl --tlsv1.2


curl --tlsv1.0
curl --tlsv1.1
curl --tlsv1.2


curl --tlsv1.0
curl --tlsv1.1
curl --tlsv1.2

Only the allowed and enable TLS version should established based on the  client_side ssl profile settings and the server_name entry


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment