Forum Discussion
NimbostratusHow to force pool HTTPS monitoring to use only SSLv3 or TLS1.0
We have an issue where the pool monitors the pool members on port tcp/443 SSL. - The pool member server only allowing TLS1.0 - The virtual server (Server SSL profile) is set to allow only SSLv3.
So in the above configuration, connection would NOT work.
The server is marked avaliable by the monitoring, as when the pool tests the server first with SSLv3 the server resist but then the pool tests again, with TLS1.0, server answers, server marked as green. But actual traffic will arrive only on SSLv3.
What we would need: How to force pool monitoring to use only SSLv3 (so mark the server as down).
8 Replies
- JRahm
Admin
create a custom https monitor and specify the cipher list as only SSLv3
Micros_88999Does not work for me.
No matter if I specify SSLv3 in the custom monitoring, cipher list, it still uses TLS1.2
Plus it seems if I specify something incorrect (like ssl3), f5 device accepts it but then not sending Client Hello.
Just to clarify, setting SSLv3 seems to be correct as f5 sends Client Hello, but it uses TLS1.2.
- what is your current cipher string? Can you try '!TLSv1.2:!TLSv1.1:!TLSv1:SSLv3' If that doesn't work, I'd open a case with support, this might be a bug.
- Micros_88999
!TLSv1.2:!TLSv1.1:!TLSv1:SSLv3 does not work, no Client Hello, the f5 FINs the connection after the successful TCP 3 way handshake.
If I set SSLv3, it sends the Client Hello, but with Version: TLS 1.2 (0x0303)
When I tried to locate the issue, I also did some testing with built in cURL. I found that with cURL, Your can specify used protocol and ciphers in two separate places, like:
curl -1 --cipher "RC4:MD5" https://whatever. where -1 means TLS1.0
but You cannot specify the protocol in the --cipher option, like:
curl --cipher "SSLv3" https://whatever
I don
t it possible that - similar to cURL - we have only a "--cipher" field in GUI, and dont know exactly how monitoring works on f5, but isnt have an "options" field? If yes, we would need one. We plan to use an external monitoring, with like curl -NksSf3 ..... Where -3 means forcing SSLv3 Another addition, built in cURL version is 7.19.7 does not support --TLSv1.0 --TLSv1.1 --TLSv1.2 only -1 (TLS1.0) and -3 (--SSLv3) which options available only in cURL 7.34(?) WeWe plan to use an external monitoring, with like curl -NksSf3 ..... Where -3 means forcing SSLv3
Another addition, built in cURL version is 7.19.7 does not support --TLSv1.0 --TLSv1.1 --TLSv1.2 only -1 (TLS1.0) and -3 (--SSLv3) which options available only in cURL 7.34(?)
We`ve upgraded from 11.4.1 to 11.5.1 HF5 (and planning to upgrade to HF7) but the built in cURL was not upgraded in the new version either.
- Micros_88999
Opened support case C1742429
- boneyard
MVP
did you already receive a reply on this? 
bucklej3_128765Any update?
HygorHi, i was having the same problem. My problem was solved after upgraded the unit to version 11.5.3
https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16646.html
