Bug ID 740223: BIG-IQ still negotiates TLSv1.1 protocol when only TLSv1.2 is specified

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.4.0, 5.4.0 HF1, 5.4.0 HF2, 6.0.1,,

Fixed In:
7.1.0, 7.0.0, 6.1.0

Opened: Aug 14, 2018
Severity: 4-Minor


BIG-IQ allows connections using TLSv1.1 protocol when only TLS1.2 is specified.


Connections using TLSv1.1 protocol can still be established to the BIG-IQ


The /etc/webd/webd.conf file or tmsh modify sys httpd ssl-ciphersuite command specifies only TLSv1.2


Using a linux system that has the nmap command, identify the ciphers that are causing TLSv1.1 negotiation: nmap --script ssl-enum-ciphers -p 443 The output will show something like this: | TLSv1.1: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A Locate these ciphers in the cipher list and remove or disable them by placing an exclamation point in front: !AES128-SHA:!AES256-SHA

Fix Information

BIG-IQ no longer allows TLSv1.1 when only TLSv1.2 is specified.

Behavior Change