How to make sure TLS 1.0 and 1.1 are not in use and how to verify what TLS protocol versions are accepted.
Environment:
Product: LoadMaster
Version: Any
Platform: Any
Application: Any
Question/Problem Description:
TLS v1.0 and v1.1 are disabled on the real server. When going to SSL Labs for scanning, it is showing TLS 1.0 and 1.1 enabled. Does the load-balancer have TLS 1.0 and 1.1 enabled by default?
Steps to Reproduce:
Error Message:
Defect Number:
Enhancement Number:
Cause:
Resolution:
By default, the LoadMaster enables TLS versions 1.1, 1.2, and 1.3 when SSL Acceleration has been enabled on a Virtual Service. This can be found by going into the configuration of the Virtual Service and checking the "SSL Properties" tab.
This Supported Protocols section allows an administrator to specify which protocols should be supported by the Virtual Service for the front end connection (client connecting to the Virtual Service).
If a client tried to connect with a protocol that is not enabled on the service, the connection will fail.
Server side (back-end from the LoadMaster to the Real Server) connections are only restricted by the configuration of the Real Servers, regardless of the TLS version selected on the client side. Each Real Server can be configured independently of the others. The LoadMaster negotiates connections according to the requirements of each Real Server.
By simply navigating to the appropriate service, expanding the SSL Properties tab, and disabling TLS 1.0 and TLS 1.1, the LoadMaster will now reject any client connections using those two specific protocols.
Firmware on version 7.2.56 has a feature added, "TLS 1.3 Cipher Suite Selection."
This allows the administrator to select the TLS 1.3 ciphers suites offered by LoadMaster to incoming clients when a TLS 1.3 connection is negotiated. Using the controls, any mix of the 5 ciphers supported by TLS 1.3 can be configured. Note that the controls for selecting TLS 1.3 ciphers are visible in the UI only if TLS 1.3 has been selected.
To further verify which version is being used by the LoadMaster and the client/server, a packet capture can be run and the administrator can verify the protocol used in the SSL Handshake.