AnsweredAssumed Answered

TLS 1.1 needed for certificate fetching?

Question asked by Anthony Loost on Jan 27, 2020
Latest reply on Feb 3, 2020 by Anthony Loost

We have an F5 appliance (LTM 15) where we are tightening down security for the upcoming January 2020 changes: specifically disabling TLS 1.0 and 1.1, and enabling 1.3. TLS 1.2 is already enabled by default.

 

Enabling 1.3 works without a problem. Having TLS 1.2 works also without a problem when SSL Labs runs a check.

 

Disabling TLS 1.0 ("No TLSv1" option), but keeping 1.1, also works fine, but gives the standard warning: "This server supports TLS 1.1. Grade will be capped to B from January 2020. MORE INFO".

 

However, when disabling 1.1 ("No TLSv1.1"), I get: " Assessment failed: Failed to obtain certificate".

 

This used to work fine: only having TLS 1.2 (and 1.3), but no 1.0 and 1.1, would give us a score of 'A'.

 

I'm not sure when things broke: we upgraded from LTM 14.x to 15.x in early December, so that may have been it. Or perhaps some change in the code of SSL Labs? Things work just fine with web browsers.

 

I tried with Geekflare and their service worked find (https://gf.dev/tls-scanner/).

Outcomes