ronutz · Network and security tools that run on your machine, not someone else's cloud.

An SSL profile's options field is a list of flags, and the protocol flags work by SUBTRACTION: a TLS version is offered unless a matching no- flag disables it. That 'disable, not enable' logic is a frequent source of surprise, and it is where TLS 1.0/1.1 hygiene lives.

When you want to turn off an old TLS version on a BIG-IP, you do not look for an "enable TLS 1.2" checkbox. You add a flag that disables the versions you do not want. The control lives in the SSL profile's options field, and getting its logic backwards is one of the most common SSL misconfigurations.

Subtraction, not addition

The options field is a brace-delimited list of flags. The protocol flags are all of the form no-<version>: no-sslv3, no-tlsv1, no-tlsv1.1, no-tlsv1.2, no-tlsv1.3. The rule is simple once stated plainly:

A protocol version is permitted unless its no- flag is present.

So a profile whose options contain no-tlsv1 no-tlsv1.1 permits TLS 1.2 and TLS 1.3 but blocks TLS 1.0 and 1.1. An empty options list permits everything the platform supports — which is why "I didn't configure anything" is not the same as "old protocols are off."

A typical hardened options list looks like this:

options { dont-insert-empty-fragments no-sslv3 no-tlsv1 no-tlsv1.1 }

What to disable, and why

SSLv3 — broken by POODLE (CVE-2014-3566). Always include no-sslv3. On current TMOS it is often already blocked at the system level, but make it explicit in the profile so the intent is visible.
TLS 1.0 and TLS 1.1 — formally deprecated by RFC 8996 and failed by virtually every compliance baseline (PCI DSS, modern browser policy). Disable both unless you have a specific legacy client that genuinely cannot do better.
TLS 1.3 — leave it permitted. If no-tlsv1.3 is present on a version that supports 1.3, you are giving up a faster, safer handshake for no good reason.

Two non-protocol flags worth knowing

dont-insert-empty-fragments turns off the old 1/n−1 record split that was an early BEAST mitigation; it appears in most default option sets and is largely historical now. cipher-server-preference tells the BIG-IP to choose the cipher from its own ordered list rather than honoring the client's preference order — generally what you want, so that your carefully ordered, forward-secret suites win.

Because the protocol matrix is derived purely from which no- flags are present, the SSL profile explainer can show you, version by version, exactly what a pasted options line permits — and flag the deprecated ones it leaves open.

Enabling and Disabling TLS Versions with the options Field

Subtraction, not addition

What to disable, and why

Two non-protocol flags worth knowing