Forum Discussion

PeterKoine_1630's avatar
PeterKoine_1630
Icon for Nimbostratus rankNimbostratus
Jan 22, 2015

Issue changing TLS version in HTTPS monitor

Hello everyone,   I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...
application delivery
availability
deployment
design
LTM
management
  • SynACk_128568's avatar
    SynACk_128568
    Jan 22, 2015

    Hi Peter ,

     

    https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .

     

    have you tried

     

    tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .

     

    you can see openssl ciphers by using this command :

     

    openssl -v DEFAULT or some other setting in cipherlist in monitor https

     

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus

Hi Peter ,

 

I ran ssl dump and it was something like this :

 

self ip ltm <->backend server sslv2 compatible client hello

 

Version 3.1

 

all the cipher suites . . . .

 

Backend server<->self ip TCP Fin

 

self ip<->backend sevrer TCP Fin

 

Thanks

 

PeterKoine_1630's avatar
PeterKoine_1630
Icon for Nimbostratus rankNimbostratus
Jan 28, 2015
what did the server hello message say? Does the handshake look similar to this one? 1 1 0.0020 (0.0020) C>S SSLv2 compatible client hello Version 3.1 cipher suites cipher 1 cipher 2 ... 1 2 0.0032 (0.0011) S>CV3.1(2) Alert level fatal value handshake_failure 1 0.0032 (0.0000) S>C TCP FIN 1 0.0041 (0.0009) C>S TCP FIN In this case ie, ssl version matched but there was no match in the cipher list, so the session was torn down. if you see '1 2 0.0032 (0.0011) S>CV3.2(2) Alert' on the other hand, then ssl version does not match.