Forum Discussion
PeterKoine_1630
Nimbostratus
NimbostratusIssue changing TLS version in HTTPS monitor
Hello everyone,
I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...
Hi Peter ,
https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .
have you tried
tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .
you can see openssl ciphers by using this command :
openssl -v DEFAULT or some other setting in cipherlist in monitor https
PeterKoine_1630Nimbostratus
NimbostratusHi SynACk,
Thanks for the reply.
I've tried to set it as TLSv1_2 directly, but no sessions were opened. But if the https monitor doesn't actually use the build-in ciphers, the native ones like server/client ssl profiles do (which I checked via "tmm --serverciphers 'DEFAULT'" and they do support TLSv1.2 ie), and uses openssl instead then that would make perfect sense. The build in version of openssl in this particular version we are running is 0.9.8e. TLSv1.2 is supported from version 1.0.1 I believe. Now, this is kind of disappointing, would really like to know why the native ones are not used instead. Or at least to have a option to choose them somehow.
Anyway, thanks for the help.
Brad_ParkerCirrus
I believe the big3d service is what monitors pools and nodes and it uses OpenSSL just like the httpd service. The Native ciphers live in TMM and were designed to be hardware accelerated for production traffic. I hope this helps a bit. from a bash prompt you can run "openssl ciphers" to view the ciphers available in the runnig version of Openssl and test your cipher string similar to tmm --serverciphers.- PeterKoine_1630Thanks Brad. This difference should be mentioned somewhere on F5 web page I believe. I checked the bigd process and it just mentioned that it is used by monitors and nothing else, neither was it mentioned on pages related to https monitors. To me it looks quite important :).