Forum Discussion
Cirrostratushow to stop logs
The following cipher string allows TLS1.2 only and he sees a lot of messages: !RSA:!SHA:!3DES:!TLSv1_1:!TLSv1:!MEDIUM:ECDHE:DEFAULT:@STRENGTH
The questions are: Which message will be logged when a client tries to connect with TLS1.0 or 1.1? If using options no-tlsv1 and no-tlsv1.1 (not sure, I think they are in the client-ssl profile), is there a difference regarding the log messages? Is there a difference in connection handling when using the cipher string or the options?
how we can stop the new logs
RaghavendraSYAltostratus
Can you please provide error logs what you are getting under /var/log/ltm
Hey F5Support!
The log message you are reffering to is most likely:
Feb 19 03:41:53 bigip01 warning tmm3[14520]: 01260009:4: Connection error: ssl_select_suite:8181: no shared ciphers (40) Feb 19 03:41:53 bigip01 warning tmm3[14520]: 01260026:4: No shared ciphers between SSL peers x.x.x.x.40880:y.y.y.y.443.Since version 12.x, SSL Debug Log information is automatically logged to /var/log/ltm.
K09322055: The BIG-IP system now logs debug SSL errors through standard logging
In order to turn this off, you need to modify the ssl log value from the default value "Warning" to "Error" which is the log level right above Warning. You do this by modifying the database value using the following tmsh command:
modify sys db log.ssl.level value ErrorRemember that you do not need to save the configuration after modifying the database.
BIG-IP system database variables are automatically saved when modified
That will make the log messages disappear. However, it will now only log when it receives log entries classified under the "Error" level. But you can alter this in case you need to troubleshoot. 🙂
I hope this helps!
