Disable TLS 1.0 and TLS 1.1

tls.JPG
Dear, I need your help… I need to disable TLS 1.0 and TLS 1.1 from the SSL Template, I do it and do a scan and the deprecated TLS still appears.

This is the correct approach. The configured client-ssl template needs to be bound to the virtual port of the VIP being scanned to realize the change. You may also need to configure and bind a cipher template to lockdown the negotiated ciphers. Can you provide more details on the config such as the template/VIP and scan results?


Configuré el siguiente cifrado, pero en el escaneo me pareció que el TLS obsoleto hasta 1.2 estaba habilitado. Ahora no puedo hacer la prueba de nuevo ya que el subdominio está en producción.

Would you be able to post a sanitized version of the VIP and template configurations? Also, what code version are you running? Also the scan results showing the unexpected ciphers would be helpful.

Does the code say the firmware that the equipment has?
The version is 5.2.1-p3, build 70 and from aFlex it is 2.0.0

5.2.1-P3 is the ACOS version, and that should provide all the capability that you need to lockdown the ciphers. Can you post the VIP and template configurations?

slb template cipher SSL-Cipher-TLS12
 TLS1_ECDHE_RSA_AES_256_GCM_SHA384
!
!
slb template client-ssl SSL-Cliient-wilcard-cert.cl
 auth-username common-name
 chain-cert wilcard_cert
 version 33 31
 certificate wildcard_movistar_2023 key CSR-CERT-CL-CLI chain-cert wildcard_cert_2023
!
slb template client-ssl SSL-Client-Wildcard-cert-2022
 version 33 31
 certificate cert-2024 key cert-chain-key-2024 pass-phrase encrypted WLWJywa0hdNk+5XWTKSabGWx4hNsdfDt94QyE1meoAV6Bbp5+4GQ0UN4qpeMU+Yz chain-cert cert-2024

The configuration of the VIP which command can I use?

For the VIP, you can use “show run slb virtual-server vip_server_name

Once we see the VIP configuration, we will see which client-ssl template is bound. One thing I noticed is that the two client-ssl templates you posted include “version 33 31”. This command sets the maximum negotiated version to TLS1.2, and the lowest negotiated version to TLS1.0. If you are using these templates and want to disable TLS1.0 and TLS1.2, you need to change this command to “version 33 33”.

this is what appears

!Section configuration: 308 bytes
!
slb virtual-server vs_APIX_prod 10.233.221.195
 port 443 https
  source-nat auto
  service-group pool_vs_axway_prod
  template http 10.233.221.195_http_template
  template http-policy 10.233.221.195
  template client-ssl partition shared SSL-Client-wilcard-cert_nuevo2023

the version 33 31 is allowing the device to downgrade to 31-TLSv1.0
try the following
version 33 33 >>> allows 33-TLSv1.2

Hello, how do I do this configuration? if you can help me

in the slb template SSL-Client-wilcard-cert_nuevo2023 that is in the shared partition, add or edit the version line as below

slb template client-ssl SSL-Client-wilcard-cert_nuevo2023
version 33 33

Ok, I’ll do it with a new template, thank you very much.

Hello, I tried to execute the command and I get the following:

slb template client-ssl Test-TLS$ssl Test-TLS1.2-Template Version 33 33

Unrecognized command.Invalid input detected at ‘^’ marker.

ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#$Template
ACOS_SMT01-Standby-vMaster[1/1](config:1-client ssl)#version 33 33

Now all that remains is to assign it to the VIP and how can I check that it is OK, just by doing a scan?

you can use
show slb ssl-counters
and run a scan to verify

I get this when I run the command

ACOS_SMT01-Standby-vMaster[1/1]#show slb ssl-counters
No SSL counters available

Sorry for so many questions, I’m new to A10.

it looks like you are on the standby device

you will need to ssh to the active device.
this will be the IP address of the second device not the VCS floating-ip

I’m on the Master team, the consultants put that name and it tends to confuse.

ACOS_SMT01-Standby-vMaster
ACOS_SMT01 = hostname
-Standby = vrrp status
you must be on the device that has Active as the vrrp status to run the ‘show slb ssl-counters’ command