Forum Discussion

Cirrostratus

Dec 23, 2014

HTTPS monitor question

Hi All I need clarification on how https monitor works in relation to cipher list 1 .Does bigd uses some specific protocol for monitoring backend servers . Can bigd be forced to use ...

application delivery

LTM

nitass_89166

Noctilucent

Dec 24, 2014

tmsh ltm modify monitor https httpscustom cipher-list DEFAULT:+SHA:+3DES:+kEDH:!SSLv3

e.g.

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm monitor https myhttps cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https myhttps
ltm monitor https myhttps {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
    compatibility enabled
    defaults-from https
    destination *:*
    interval 5
    ip-dscp 0
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.11(43738) <-> 200.200.200.101(443)
1 1  1419479022.6682 (0.0036)  C>SV3.1(208)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          37 62 de 45 83 46 bc 86 aa 55 0c 6f 24 7a fd d2
          64 fd 9b fd a4 f8 e2 3a aa 71 09 95 27 e7 9a c7

For the 2 nd part if i got it right first i need to remove https monitor from pool then start running ssldump and alongside apply monitor again

yes but if you use DEFAULT:+SHA:+3DES:+kEDH:!SSLv3 cipher, you do not need to do it (i.e. remove and re-assign the monitor) because sslv3 is already removed.

SynACk_128568
Cirrostratus
Dec 25, 2014
Hi Nitass , One more thing output of this command : openssl ciphers DEFAULT:+SHA:+3DES:+kEDH -v AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 All are sslv3 ciphers but how is bigd using SSLv3.1/TLS 1.0 ? Also when using this command openssl ciphers DEFAULT:+SHA:+3DES:+kEDH:-SSLv3 -v Output is below no cipher left so this will cause the monitor to mark backend server down . Error in cipher list 4599:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188: Thanks
nitass_89166
Noctilucent
Dec 25, 2014
Protocol version: SSLv3, TLSv1.2. The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1. https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
SynACk_128568
Cirrostratus
Dec 25, 2014
thanks A) But if i remove the remove sslv3 it will remove all the ciphers and health check will fail . So i dont think there is any way to negate sslv3 in monitor . Because when i negate sslv3 DEFAULT:+SHA:+3DES:+kEDH:-SSLv3 pool members go down as no ciphers are left as both are named same sslv3 and tls1.0 So my question is : B) Is there any tmsh command/way to disable SSLv3 protocol instead of SSLv3 ciphers in particular monitors and SSL profile ?
nitass_89166
Noctilucent
Dec 25, 2014
A) have you tried TLSv1 cipherlist? root@ve10a(Active)(tmos) list ltm monitor https myhttps ltm monitor https myhttps { cipherlist "TLSv1" compatibility "enabled" defaults-from https interval 5 send "GET /\r\n" time-until-up 0 timeout 16 } B) i am not aware of it.
SynACk_128568
Cirrostratus
Dec 27, 2014
i will try this and let you know thanks