Forum Discussion

Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Feb 13, 2015

iControl and TLSv1.2

Has anybody encountered issues with iControl when you lock httpd down to only allow TLSv1.2? Device trust creation, Big-IQ, iRule editor, powershell iControl cmdlets, etc... all fail to connect when we restrict the management interface(httpd) to only TLSv1.2. The GUI still works in a browser, however. TCPDUMP suggests all these iControl functions only offer TLS 1.0 in the ClientHello.

 

devops
iControl
ssl

5 Replies

  • UsualSuspect_16's avatar
    UsualSuspect_16
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2015
    Hi Brad, What version are you running? I currently have a similar problem establishing device trust when I remove SSLv3 from the supported list. With SSLv3 allowed it works, with SSLv3 disabled it doesn't. I'm running 11.5.1 HF7 on a 2400
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Apr 14, 2015
    The iRule Editor and PowerShell Cmdlets both use the iControl library for .Net which just uses the base HTTP classes in the .Net framework to open a connection to https://bigip/iControl/iControlPortal.cgi. There is no code in there to specify which ciphers to use. I'll have to dig into the code to see if there's a way around it...
  • djenkins-nz_239's avatar
    djenkins-nz_239
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2015
    Same issue here.. SSLv3 was disabled for us in the weekend on the management interface and now iControl doesn't work
  • Ken_Schultz_525's avatar
    Ken_Schultz_525
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2018

    Has this issue ever been resolved? Or even documented anywhere with specifics ?

     

    We just got bit with this, on 11.6.2, we'd disabled sslv3 and tlsv1 for the admin gui. Months later, we replaced device certs, and needed to rebuild device trust. FAIL. Set back to defaults sys httpd ssl-ciphersuite DEFAULT sys httpd ssl-protocol all

     

    presto... icontrol worked just fine. SMH