Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Platform
Known Affected Versions:
5.4.0, 6.0.1, 6.0.1.1, 6.0.1.2
Fixed In:
7.1.0, 7.0.0, 6.1.0
Opened: Aug 14, 2018 Severity: 4-Minor
BIG-IQ allows connections using TLSv1.1 protocol when only TLS1.2 is specified.
Connections using TLSv1.1 protocol can still be established to the BIG-IQ
The /etc/webd/webd.conf file or tmsh modify sys httpd ssl-ciphersuite command specifies only TLSv1.2
Using a linux system that has the nmap command, identify the ciphers that are causing TLSv1.1 negotiation: nmap --script ssl-enum-ciphers -p 443 The output will show something like this: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A Locate these ciphers in the cipher list and remove or disable them by placing an exclamation point in front: !AES128-SHA:!AES256-SHA
BIG-IQ no longer allows TLSv1.1 when only TLSv1.2 is specified.