Forum Discussion

PSPK's avatar
PSPK
Icon for Nimbostratus rankNimbostratus
Dec 16, 2020

Log the TLS version of a client connecting to a TCP VIP with no HTTP or client-ssl Profile

Hello,

 

I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.

There are several clients that makes SSL connections to this VIP.

I need to know the client SSL/TLS version.

 

I tried to apply the below irule and it threw me the following error..

 

when CLIENTSSL_HANDSHAKE {

    if { [info exists logged] && $logged == 1 }{

       #Do nothing. Already logged for this connection

    } else {

      set logged 1

      log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "

    }

  }

 

01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

 

I really need an irule to help me log the incoming client TLS versions

 

Please help.

 

 

Thanks :)

  • Hi  ,

     

    This cannot be achieved with your existing setup. You have to offload the traffic to get that information. It clearly tells you on the log error message.

     

    01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

  • Hi, Fully agreed with  , As your setup is SSL Pass-through, BigIP is not participating in encryption. You should map associated profiles on the VS to understand the traffic being processed. Here as you want F5 to inspect SSL Handshake, you should configure client SSL profile on it.