Forum Discussion

prashanth's avatar
prashanth
Icon for Nimbostratus rankNimbostratus
Dec 04, 2020

Cipher negotiated between F5 and Node

Hi There, We are currently in the process of upgrading F5 from v12 to v13. We came across an issue due to depreciated ciphers. Some of our VIPs were using the DEFAULT cipher suite and since some l...
application delivery
BIG-IP
cipher
LTM
ssl
  • jaikumar_f5's avatar
    jaikumar_f5
    Dec 06, 2020

    Here's what you could had done,

    1. ​Run the tmm --clientciphers <suite> command in both the versions and see the difference. Don't forget to frame the command with your existing cipher suite.

    ​2. As you suspect the issue is on the server side, you can run the same command like,

    tmm ---serverciphers <suite> and identify the differences. If it's DEFAULT, use DEFAULT.

    3. Other option is to use the openssl/curl command to be run against your nodes to see which cipher was selected. I prefer openssl.

    4. The easiest way would be to map an irule to log the ciphers. If you want client side, use clientssl_handshake event, since you need on serverside, use serverssl_handshake event and log below entries.

    SSL Version - [SSL::cipher version]

    Cipher Name - [SSL::cipher name]

    Bits Strength - [SSL::cipher bits]

    If you need help in framing Irule, let us know.​

Samir's avatar
Samir
Icon for MVP rankMVP

1. Generate the qkview and upload the ihealth.f5.com

​2. Open support care for most stable version in v13.x

3. Do the proper plan before upgrade.

Thanks​

prashanth's avatar
prashanth
Icon for Nimbostratus rankNimbostratus
Dec 05, 2020

i think you are not getting my question here, my question is more simple though, is there any commands available to check the cipher negotiated between F5 and backend node in F5?

  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Dec 05, 2020

    Capture the packet via ssldump and see the ​negotiated cipher details.