Forum Discussion
SynACk_128568
Cirrostratus
CirrostratusHTTPS monitor question
Hi All
I need clarification on how https monitor works in relation to cipher list
1 .Does bigd uses some specific protocol for monitoring backend servers .
Can bigd be forced to use ...
nitass
Employee
Employeetmsh ltm modify monitor https httpscustom cipher-list DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
e.g.
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm monitor https myhttps cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https myhttps
ltm monitor https myhttps {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
compatibility enabled
defaults-from https
destination *:*
interval 5
ip-dscp 0
send "GET /\r\n"
time-until-up 0
timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.11(43738) <-> 200.200.200.101(443)
1 1 1419479022.6682 (0.0036) C>SV3.1(208) Handshake
ClientHello
Version 3.3
random[32]=
37 62 de 45 83 46 bc 86 aa 55 0c 6f 24 7a fd d2
64 fd 9b fd a4 f8 e2 3a aa 71 09 95 27 e7 9a c7
For the 2 nd part if i got it right first i need to remove https monitor from pool then start running ssldump and alongside apply monitor again
yes but if you use DEFAULT:+SHA:+3DES:+kEDH:!SSLv3 cipher, you do not need to do it (i.e. remove and re-assign the monitor) because sslv3 is already removed.
nitassEmployee
EmployeeProtocol version: SSLv3, TLSv1.2. The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1.
https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
