Forum Discussion
PeterKoine_1630
Nimbostratus
NimbostratusIssue changing TLS version in HTTPS monitor
Hello everyone,
I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...
Hi Peter ,
https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .
have you tried
tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .
you can see openssl ciphers by using this command :
openssl -v DEFAULT or some other setting in cipherlist in monitor https
SynACk_128568
Cirrostratus
CirrostratusHi Peter,
It was like this :
1 1 0.0020 (0.0020) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
cipher 1
cipher 2 . .
1 0.0032 (0.0000) S>C TCP FIN
1 0.0041 (0.0009) C>S TCP FIN
Thanks
PeterKoine_1630Hi SynACk, that is quite odd. It seems server is not responding at all. Hasn't your server team disabled all ssl options? Like when i did in my original question about https where it was not sending anything but tcp rst and fin with DEFAULT:!SSLv3:!TLSv1 set up. As per RFC anyway: The server will send this message in response to a client hello message when it was able to find an acceptable set of algorithms. If it cannot find such a match, it will respond with a handshake failure alert. So if it has at least something enabled, it should respond either with an alert or success message. Unfortunately i do not have access to some backend server i could test my theory on. I was somewhat able to mimic it by disabling all ciphers on clientssl profile. VIP didn't respond at all and curl showed this: * SSLv2, Client hello (1): Unknown SSL protocol error in connection to xxx:443 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to xxx:443- SynACk_128568thanks for your inputs Peter , will check and revert back if i find some solution