Forum Discussion

Nimbostratus

Mar 25, 2014

How to force pool HTTPS monitoring to use only SSLv3 or TLS1.0

We have an issue where the pool monitors the pool members on port tcp/443 SSL. - The pool member server only allowing TLS1.0 - The virtual server (Server SSL profile) is set to allow only SSLv3. ...

Nimbostratus

Jan 09, 2015

!TLSv1.2:!TLSv1.1:!TLSv1:SSLv3 does not work, no Client Hello, the f5 FINs the connection after the successful TCP 3 way handshake.

If I set SSLv3, it sends the Client Hello, but with Version: TLS 1.2 (0x0303)

When I tried to locate the issue, I also did some testing with built in cURL. I found that with cURL, Your can specify used protocol and ciphers in two separate places, like:

curl -1 --cipher "RC4:MD5" https://whatever. where -1 means TLS1.0

but You cannot specify the protocol in the --cipher option, like:

curl --cipher "SSLv3" https://whatever

I don

t know exactly how monitoring works on f5, but isn

t it possible that - similar to cURL - we have only a "--cipher" field in GUI, and don

t have an "options" field? If yes, we would need one.

We plan to use an external monitoring, with like
curl -NksSf3 .....
Where -3 means forcing SSLv3

Another addition, built in cURL version is 7.19.7 does not support --TLSv1.0  --TLSv1.1  --TLSv1.2
only -1 (TLS1.0) and -3 (--SSLv3) which options available only in cURL 7.34(?)

We

We plan to use an external monitoring, with like curl -NksSf3 ..... Where -3 means forcing SSLv3

Another addition, built in cURL version is 7.19.7 does not support --TLSv1.0 --TLSv1.1 --TLSv1.2 only -1 (TLS1.0) and -3 (--SSLv3) which options available only in cURL 7.34(?)

We`ve upgraded from 11.4.1 to 11.5.1 HF5 (and planning to upgrade to HF7) but the built in cURL was not upgraded in the new version either.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)