Forum Discussion

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Dec 23, 2014

HTTPS monitor question

Hi All   I need clarification on how https monitor works in relation to cipher list   1 .Does bigd uses some specific protocol for monitoring backend servers .   Can bigd be forced to use ...
application delivery
LTM
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 24, 2014

tmsh ltm modify monitor https httpscustom cipher-list DEFAULT:+SHA:+3DES:+kEDH:!SSLv3

e.g.

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm monitor https myhttps cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https myhttps
ltm monitor https myhttps {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH:!SSLv3
    compatibility enabled
    defaults-from https
    destination *:*
    interval 5
    ip-dscp 0
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) q
[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.11(43738) <-> 200.200.200.101(443)
1 1  1419479022.6682 (0.0036)  C>SV3.1(208)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          37 62 de 45 83 46 bc 86 aa 55 0c 6f 24 7a fd d2
          64 fd 9b fd a4 f8 e2 3a aa 71 09 95 27 e7 9a c7

For the 2 nd part if i got it right first i need to remove https monitor from pool then start running ssldump and alongside apply monitor again

yes but if you use DEFAULT:+SHA:+3DES:+kEDH:!SSLv3 cipher, you do not need to do it (i.e. remove and re-assign the monitor) because sslv3 is already removed.

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus
Dec 25, 2014
thanks A) But if i remove the remove sslv3 it will remove all the ciphers and health check will fail . So i dont think there is any way to negate sslv3 in monitor . Because when i negate sslv3 DEFAULT:+SHA:+3DES:+kEDH:-SSLv3 pool members go down as no ciphers are left as both are named same sslv3 and tls1.0 So my question is : B) Is there any tmsh command/way to disable SSLv3 protocol instead of SSLv3 ciphers in particular monitors and SSL profile ?