Forum Discussion
NimbostratusDoes bigd support TLS1.2. Monitor is failing when TLS1.2 is only enabled in server
The default https monitor is failing when TLS1.2 is only enabled in server. Does bigd support TLS1.2. I am using 11.4.1 HF6.
When I use the following CIPHERS in https monitor it even does not start SSL HANDSHAKE.
ltm monitor https tls1_2monitor {
cipherlist TLSv1_2
compatibility enabled
defaults-from https
destination *:*
interval 5
send "GET /\\r\\n"
time-until-up 0
timeout 16
}
or with the following cipherlist
DEFAULT:+SHA:+3DES:+kEDH:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1Thanks
3 Replies
James_ThomsonEmployee
I don't have anything running that version right now. Can you capture a tcpdump and show the output with ssldump to see what is happening?
https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.htmlIf you paste the conversation here between F5 and server, we can maybe figure it out.
Hi, In the SOL we read :
Note: TLS1.2 monitor support was added in 11.5.0. https://support.f5.com/kb/en-us/solutions/public/16000/500/sol16526.html?sr=57768043
Leonardo_SouzaCirrocumulus
Also, in the same solution:
Note: You cannot modify the TLS/SSL protocol version. The HTTPS monitor will choose the highest level TLS/SSL protocol.
bigd does not interpret the protocol version from the cipher list, but does implement the ciphers. Solution for your case is either upgrade as suggested or external monitor.
About external monitor, I could only find this one that is for HTTP, but you can change the curl command to HTTPS: https://devcentral.f5.com/codeshare?sid=395
I will have to write one HTTPS as I need, so I will share the link after (probably this week).
