Forum Discussion

Nimbostratus

Jan 22, 2015

Issue changing TLS version in HTTPS monitor

Hello everyone, I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...

SynACk_128568
Jan 22, 2015
Hi Peter ,

https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .

have you tried

tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .

you can see openssl ciphers by using this command :

openssl -v DEFAULT or some other setting in cipherlist in monitor https

SynACk_128568

Cirrostratus

Jan 30, 2015

Hi Peter,

We checked and got a solution from F5 :

once the server negotiates from SSLv2 to TLS1, all subsequent connections will utilize the later protocol. Due to the fact that these pool members have already negotiated to TLSv1, some of the monitors are shown working to pool members with sslv2 disabled .

basically they told that LTM cannot perform negotiate .

They recommended to disable :

app-service none
cert none
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled  <---try setting compatibility to disale

On F5 documents compatibility Displays, when enabled, that the SSL options setting (in OpenSSL) is set to ALL. The default is Enabled.

Not able to understand it's purpose ?

Thanks

PeterKoine_1630
Nimbostratus
Jan 30, 2015
Hi SynACk, the compatibility setting is about turning on openssl's bug workarounds https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html During an ssl session handshake, in the client hello message, the client sends all the ciphers it supports and mentions the highest ssl version it can use. Server should always choose the strongest compatible. So yes, if you have SSLv2 and TLS1 enabled, TLS1 should always be chosen in all future connection. But haven't you mentioned that you have SSLv2 and SSLv3 disabled on the servers? Also, has turning off compatibility solved the issue you have?
SynACk_128568
Cirrostratus
Jan 30, 2015
still need to perform the change . will keep thread posted

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Issue changing TLS version in HTTPS monitor

Recent Discussions

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

SSL bridging without SSL proxy forward

Related Content

HTTPS Monitor fails after changing TLS Version

Using Cloud Templates to Change BIG-IP Versions - Azure

Using Cloud Templates to Change BIG-IP Versions - AWS

Using Cloud Templates to Change BIG-IP Versions - Google GCP

Using Cloud Templates to Change BIG-IP Versions - Concepts

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS