Forum Discussion
Nimbostratus11.5.2 force Monitor to TLS 1.0
Hello
We recently upgraded from BigIP 11.3 to 11.5.2 and some HTTPS monitors and serverssl profiles stopped working. We narrowed it down to some Java Weblogic Servers that support ONLY TLS 1.0 (that's how it is). If the connection is TLS 1.1, TLS 1.2 or SSLv3 the SSL Handshake fails. With the default Cipher suites of 11.3 it worked, but it doesn't with the defaults for 11.5.2.
For the ServerSSL profile I ended up with the following cipher string: DEFAULT:!TLSv1_2:!TLSv1_1
With OpenSSL, I can use openssl s_client -tls1 -connect :
But for the HTTPS monitor I could not find a solution.
--> Any idea how to force a standard HTTPS monitor to TLS 1.0??
Greetings Mathias Rufer
6 Replies
DevBabuCirrus
I have not checked what if we change the ciphers in cipher list.
tlsv1
nitass_89166Noctilucent
Any idea how to force a standard HTTPS monitor to TLS 1.0??
there is request for enhancement but not yet implemented.
ID504736 [RFE] Allow specifying desired SSL/TLS protocol version in HTTPS monitors
you may have to use external monitor (i.e. openssl s_client).
Mike_99062Hello Nitass, I'm a little confused and was wondering why in this instance, we couldn't match the cipher string in the Server SSL profile with the cipher string in the HTTPS Health Monitor? Thanks, Mike
- nitass
Employee
Any idea how to force a standard HTTPS monitor to TLS 1.0??
there is request for enhancement but not yet implemented.
ID504736 [RFE] Allow specifying desired SSL/TLS protocol version in HTTPS monitors
you may have to use external monitor (i.e. openssl s_client).
- Mike_99062Hello Nitass, I'm a little confused and was wondering why in this instance, we couldn't match the cipher string in the Server SSL profile with the cipher string in the HTTPS Health Monitor? Thanks, Mike
- Cody_Green
Mathias, I've put together a document that walks an admin through the process of creating an HTTPS TLSv1 specific external monitor: http://f5guru.com/2015/07/07/how-to-monitor-a-tls-1-0-application/
