Forum Discussion

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Dec 23, 2014

HTTPS monitor question

Hi All   I need clarification on how https monitor works in relation to cipher list   1 .Does bigd uses some specific protocol for monitoring backend servers .   Can bigd be forced to use ...
application delivery
LTM
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 24, 2014

tmsh ltm modify monitor https httpscustom cipher-list DEFAULT:+SHA:+3DES:+kEDH:!SSLv3

e.g.

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm monitor https myhttps cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https myhttps
ltm monitor https myhttps {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
    compatibility enabled
    defaults-from https
    destination *:*
    interval 5
    ip-dscp 0
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.11(43738) <-> 200.200.200.101(443)
1 1  1419479022.6682 (0.0036)  C>SV3.1(208)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          37 62 de 45 83 46 bc 86 aa 55 0c 6f 24 7a fd d2
          64 fd 9b fd a4 f8 e2 3a aa 71 09 95 27 e7 9a c7

For the 2 nd part if i got it right first i need to remove https monitor from pool then start running ssldump and alongside apply monitor again

yes but if you use DEFAULT:+SHA:+3DES:+kEDH:!SSLv3 cipher, you do not need to do it (i.e. remove and re-assign the monitor) because sslv3 is already removed.

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Dec 25, 2014
Hi Nitass , One more thing output of this command : openssl ciphers DEFAULT:+SHA:+3DES:+kEDH -v AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 All are sslv3 ciphers but how is bigd using SSLv3.1/TLS 1.0 ? Also when using this command openssl ciphers DEFAULT:+SHA:+3DES:+kEDH:-SSLv3 -v Output is below no cipher left so this will cause the monitor to mark backend server down . Error in cipher list 4599:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188: Thanks