Forum Discussion

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Dec 23, 2014

HTTPS monitor question

Hi All   I need clarification on how https monitor works in relation to cipher list   1 .Does bigd uses some specific protocol for monitoring backend servers .   Can bigd be forced to use ...
application delivery
LTM
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Dec 24, 2014

So the monitor cipher list is checked in server side context that is with tmm -serverciphers 'DEFAULT:+SHA:+3DES:+kEDH'

bigd uses openssl cipher library. you could use openssl ciphers (openssl ciphers DEFAULT:+SHA:+3DES:+kEDH -v) instead of tmm --serverciphers.

Also when i did ssl dump for the pool member LTM bigd sent version sslv3.1 or TLS1.0 to the backend server.

Should not LTM send TLS 1.2 first as this is the highest protocol it supports ?

i understand you do see clienthello version 3.1 because server does not support tls 1.2 (on the first connection, bigd sends clienthello version 3.3 but server responds version 3.1. so, bigd will send clienthello version 3.1 on the subsequent connection). to see it, you can remove https monitor, run ssldump and then re-assign the monitor to pool.

e.g.

 configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https https
ltm monitor https https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    destination *:*
    interval 5
    ip-dscp 0
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
            session monitor-enabled
            state up
        }
    }
    monitor https
}

 trace

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 443
New TCP connection 1: 200.200.200.11(37012) <-> 200.200.200.101(443)
1 1  1419466427.8307 (0.0036)  C>SV3.1(512)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          91 2f f5 8a 2d 96 6e ae 08 e8 69 7b 99 19 e1 9a
          61 1d bb 68 b2 ca 69 3e e0 e4 5b 49 60 6a 48 59

...snipped...

1 2  1419466427.8602 (0.0295)  S>CV3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          54 9b 53 0b c5 4e c9 c3 fd 1e c5 11 41 64 f2 b2
          12 63 01 46 94 60 20 56 bb 66 fa d7 ef 54 8d e5
        session_id[32]=
          d8 e6 ba 14 36 0e 43 ce 07 41 d6 19 3b b3 6d 6a
          11 f4 90 03 bb ec 0e 55 ef 27 21 e4 3c 47 2e 91
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL

...snipped...

New TCP connection 2: 200.200.200.11(37013) <-> 200.200.200.101(443)
2 1  1419466432.8379 (0.0024)  C>SV3.1(236)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          0d 67 58 de 02 72 e0 fd 0e 46 47 41 4d 17 b3 52
          19 a7 c1 c3 6b cd 90 3e 93 ce f1 e2 f7 9c 8e f7
        resume [32]=
          d8 e6 ba 14 36 0e 43 ce 07 41 d6 19 3b b3 6d 6a
          11 f4 90 03 bb ec 0e 55 ef 27 21 e4 3c 47 2e 91

...snipped...
  • SynACk_128568's avatar
    SynACk_128568
    Icon for Cirrostratus rankCirrostratus
    Dec 24, 2014
    Thanks Nitass for your explanation . So if i use tmsh modify command to use change cipher list of the monitor to exclude ssl ciphers it would be like : tmsh ltm modify monitor https httpscustom cipher-list DEFAULT:+SHA:+3DES:+kEDH:!SSLv3 For the 2 nd part if i got it right first i need to remove https monitor from pool then start running ssldump and alongside apply monitor again . Correct me if i am wrong . Thanks