Forum Discussion
CirrusCipher availability changes in upgrade from 11.6 to 13
In preparation for upgrade from 11.6 to 13.x, I am trying to develop a method to identify legacy, deprecated, and unsupported ciphers in current use on our 11.6.3 LTMs that will break functionality once we're running 13.x.
I see that the methodology will change (https://devcentral.f5.com/articles/cipher-rules-and-groups-in-big-ip-v13-25200), but what impact will that have on the existing 11.6 cipher strings and option settings?
Of course, the smart thing would be to require the servers & apps using old ciphers to be up to date. But that's a different silo, and involves all the accompanying layer 8 entanglements.
Does anyone have experience or advice in finding client and server profiles that will fail following upgrade?
jlargerThis isn't quite what I was hoping for, but it's a start.
I can issue "reset-stats ltm profile server-ssl" with the * wildcard, and do the same for client-ssl.
Then I can wait a set time, issue show ltm profile server-ssl all, and for client-ssl, and dump those to a text file.
I can then parse the text and assign each profile values for each available stat to determine where weaknesses are. For thousands of profiles on hundreds of LTMs. Laborious, no?
Given how much time we spend on TLS/SSL issues and responding to vulnerability scans, this should really be easier to find.
- Kevin_Stewart
Employee
The first things I'd do is review the supported cipher differences between the versions: https://support.f5.com/csp/article/K13163.
You could also capture the stats of current user traffic into iStats and graph it. Here's a way to do that: https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module1/lab1.html
