Bug ID 740223: BIG-IQ still negotiates TLSv1.1 protocol when only TLSv1.2 is specified

Last Modified: Oct 21, 2020

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.4.0, 5.4.0 HF1, 5.4.0 HF2, 6.0.1, 6.0.1.1, 6.0.1.2

Opened: Aug 14, 2018
Severity: 4-Minor

Symptoms

BIG-IQ allows connections using TLSv1.1 protocol when only TLS1.2 is specified.

Impact

Connections using TLSv1.1 protocol can still be established to the BIG-IQ

Conditions

The /etc/webd/webd.conf file or tmsh modify sys httpd ssl-ciphersuite command specifies only TLSv1.2

Workaround

Using a linux system that has the nmap command, identify the ciphers that are causing TLSv1.1 negotiation: nmap --script ssl-enum-ciphers -p 443 The output will show something like this: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A Locate these ciphers in the cipher list and remove or disable them by placing an exclamation point in front: !AES128-SHA:!AES256-SHA

Fix Information

None

Behavior Change