Forum Discussion
PeterKoine_1630
Nimbostratus
NimbostratusIssue changing TLS version in HTTPS monitor
Hello everyone,
I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...
Hi Peter ,
https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .
have you tried
tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .
you can see openssl ciphers by using this command :
openssl -v DEFAULT or some other setting in cipherlist in monitor https
SynACk_128568
Cirrostratus
CirrostratusHi Peter/Brad,
i also had a somewhat similar issue few days back , maybe you can tell if you faced same issue .
LTM has default cipherlist in https monitor . And team who manages backend servers disabled sslv2 ,sslv3 . After that LTM is marking pool member down .
when using curl command it reported wrong version used, handshake failure .
Any help will be appreciated . No changes done on LTM .
Thanks
PeterKoine_1630Nimbostratus
NimbostratusHi SynACk,
I assume you ran curl from the F5 directly. Most likely it does not support more than TLS1.0. In any case, can you run ssldump from the F5 ('ssldump -i 0.0 -AnNd host xxxx and port 443' ) to that pool member? This way you can at least see if a SSL session is being established and at which point it fails.
Also, it helped me to download latest curl. I then ran it from one of our jump servers to see if at least TLS1.1/2 negotiates correctly. In my case i.e., when customer disabled TLS1.0 and realized it won't work at first, even when they've re-enabled it, monitor was still marking the pool down as there was no cipher that the F5 and their server could agree upon. None of the openssl DEFAULs matched their TLS1.0 cipher list profile. Would be worthwhile checking with them what kind of SSL settings they've kept enabled.