TLS Reference
Objective
This document provides information on the TLS versions and cipher suites supported for the HTTP load balancers and associated origin pools. For more information on load balancers, see Load Balancing and Service Mesh.
The TLS versions and cipher suites mentioned in this guide are supported for the following entities of F5® Distributed Cloud Services:
- HTTPS Load Balancer with Automatic Certificate
- HTTPS Load Balancer with Custom Certificate/Bring Your Own Certificate (BYOC)
- Origin Pool (origin servers that use TLS)
Use the information provided in this guide to understand the TLS security levels and associated cipher suites.
TLS Versions and Cipher Suites
F5 Distributed Cloud Services provide predefined security levels that apply a minimum and maximum TLS versions and associated cipher suites for the levels. You can select the security levels or apply custom TLS security settings in F5® Distributed Cloud Console. The following table lists the TLS security levels and associated cipher suites:
Security Level | TLS Versions | Cipher Suites | Details |
---|---|---|---|
Default | Minimum TLS 1.2 Maximum TLS 1.3 | TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | Applied by default. This is also the high security level. |
Medium | Minimum TLS 1.0 Maximum TLS 1.3 | Cipher Suites of Default Level TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Selecting medium security level also gets the cipher suites of default or high security levels. |
Low | Minimum TLS 1.0 Maximum TLS 1.3 | Cipher Suites of Default and Medium Levels TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 | Selecting low security level also gets the cipher suites of default and medium levels. |
Note: The HTTPS load balancer with automatic certificate uses default security level by default.
TLS Automatic Certificate Renewal Failure Alerts & Troubleshooting
In case of TLS certificate autorenewal failure or expiry, the following alerts are triggered:
- TLSAutomaticCertificateRenewalFailure - This is a major alert and triggered when renewal attempts are failing when the expiry date is within the period of 15 - 28 days.
- TLSAutomaticCertificateRenewalStillFailing - This is a critical alert triggered when renewal attempts are failing when the expiry date is within 15 days.
- TLSAutomaticCertificateExpired - This is a critical alert triggered when the certificate is expired.
Do the following to troubleshoot automatic certificate renewal failures:
Step 1: Verify that root domain NS and SOA records are configured correctly.
Enter the following commands:
$ dig NS <root-domain>
$ dig SOA <root-domain>
Step 2: Verify root domain CAA record.
If there is any CAA record created for root domain, then you must either add additional record to include letsencrypt.org
, or remove every existing CAA record.
Enter the following command:
$ dig CAA <root-domain>
Step 3: Verify delegated domains.
In case of delegated domains, do the following:
-
Verify in Console that domain object is in publish state and F5 Distributed Cloud NS servers are listed for the domain.
-
Verify NS record created for the delegated domain in the root domain registrar. The NS record should point to F5 Distributed Cloud NS servers. Verify using the following command:
$ dig NS <delegated-domain>
Output of above command should return F5 Distributed Cloud DNS servers.
Step 4: Verify non-delegated domains.
Verify that ACME
challenge CNAME records are created in the domain registrar for all domains, and they point to the values provided by F5 Distributed Cloud Services.
Use the following command to verify:
$ dig CNAME _acme-challenge.<non-delegated-domain>
Output for the above command should return CNAMEs that match Load Balancer DNS records.
TLS Custom Certificate Expiry Alerts & Troubleshooting
In case of TLS custom certificate expiry, the following alerts are triggered:
- TLSCustomCertificateExpiring - This is a major alert and triggered when the expiry date is within the period of 15 - 28 days.
- TLSCustomCertificateExpiringSoon - This is a critical alert triggered when the expiry date is within 15 days.
- TLSCustomCertificateExpired - This is a critical alert triggered when the certificate is expired.
As this is a user managed custom certificate, update the certificate via the UI or API to avoid any downtime.