Disable TLS 1.0 and TLS 1.1

Ok now I was able to run the command

Client ssl stats
Cumulative sessions = 403914632

ID     Name                 Successes   Failures
0x0300c02f TLS1_ECDHE_RSA_AES_128_GCM_SHA256  28896     994
0x0300c013 TLS1_ECDHE_RSA_AES_128_SHA      304      544
0x0300c027 TLS1_ECDHE_RSA_AES_128_SHA256    367      216
0x0300c028 TLS1_ECDHE_RSA_AES_256_SHA384    19670     239
0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384  177399182   783054
0x0300c014 TLS1_ECDHE_RSA_AES_256_SHA      8740     7064
0x0300009c TLS1_RSA_AES_128_GCM_SHA256     115      197
0x0300002f TLS1_RSA_AES_128_SHA         301      1089
0x0300003c TLS1_RSA_AES_128_SHA256       111      198
0x0300009d TLS1_RSA_AES_256_GCM_SHA384     924      1777
0x03000035 TLS1_RSA_AES_256_SHA         692      849
0x0300003d TLS1_RSA_AES_256_SHA256       114      224
0x0300cca8 TLS1_ECDHE_RSA_CHACHA20_POLY1305_SHA256 156      158
0x0300ccaa TLS1_DHE_RSA_CHACHA20_POLY1305_SHA256 305      731

Key Exchange Methods              Successes   Failures
 RSA
  2048 bits                  2257     4334
 ECDHE
  prime256v1                 177429235   791652
  secp384r1                  27924     459
 DHE

SSL/TLS Version                 Successes   Failures
SSL3.0                     0       12107

TLS1.0                     7095     16197

TLS1.1                     2420     16456

TLS1.2                     402861969   104084

TLS1.3                     0       920827

Version downgrade                370868681

Session Cache                  Count
New                       178298172
Hit                       223088883
Miss                      0
Expired                     0
Current                     145

Handshake Average time = 0 ms
Handshake Failures = 1069710
Certificate Auth = 0
SNI Auto-Map Successes = 0
SNI Auto-Map Failures = 0
SNI Auto-Map Failures Connection Closed = 0
SNI Auto-Map Failures Max Active Connections = 0
SNI Auto-Map Failures Missing Cert/Key = 0
SNI Bypass due to Missing Cert/Key = 0
SNI Bypass due to Certificate Expired = 0
SNI Bypass due to Matched Explicit Bypass List = 0

Renegotiation Counters
Total renegotiations = 973

Renegotiated SSL/TLS Versions          Successes   Failures
TLS1.2                     973      0

Global Stats

Server ssl stats
Cumulative sessions = 397517686

ID     Name                 Successes   Failures
0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384  397502946   14069

Key Exchange Methods              Successes   Failures
 RSA
 ECDHE
  prime256v1                 397502946   14053
 DHE

SSL/TLS Version                 Successes   Failures
TLS1.2                     397502946   14824

Session Cache                  Count
New                       397517686
Hit                       0
Miss                      0
Expired                     0
Current                     0

Handshake Average time = 0 ms
Handshake Failures = 14824
Certificate Auth = 0

Renegotiation Counters
Total renegotiations = 0

Renegotiated SSL/TLS Versions          Successes   Failures
(none used)

you can use ‘clear slb ssl-counter’ to reset the counters. Makes it easier to track

Ok, thank you very much for the help, I’m going to look for a domain to test.

I had a question… I only apply this to the SSL Client and I don’t have to do anything in the SSL Server part?

Yes, you only need to change the client-ssl template. The client-ssl template is the handshake from internet to A10. The server-ssl template is the handshake between A10 and the Real Server. In a SSL Offload configuration, only a client-ssl template is used.

I understand, thank you very much for the help.