Forum Discussion
Log TLS version in Irule for TCP VIP
Hi All,
I am working on a project to remove all TLS1.0 connection on F5 but need we need to know first who is still connection to certain VIP.
There is already an Irule defined by one of my colleagues but this only works when there is an HTTP Profile attached. We have also plain TCP VIP with SSL offloading and so i can't attach the below Irule to it.
when HTTP_REQUEST {
if { [info exists logged] && $logged == 1 }{
Do nothing. Already logged for this connection
} else {
set logged 1
log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
}
}
I am not good in scripting but i understand the logic above but need something similar without the "HTTP_Request" statement etc because the TCP VIP does not do HTTP traffic...
Can someone help me on this to make an Irule which will work with plain TCP ?
- ToonVACirrus
Thanks for the information, did some research and managed to get it running on our infra. Below the Irule i reworked for TCP enable VIP (without a http profile).
when CLIENTSSL_HANDSHAKE { if { [info exists logged] && $logged == 1 }{ Do nothing. Already logged for this connection } else { set logged 1 log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] " } }
The "Waarde" in bold is the trigger i can use to check in the LTM file from \var\log\ltm
LTM Output example (masked some items with ): Line 429655: Jan 17 08:34:24 slot2/VCMP- info tmm[19343]: 01220002:6: Rule /Common/Irule_TLS1.0_CHECK_LOG_172... : WAARDE TLS1.0 check, from 10... to vip 172... Cipher ECDHE-RSA-AES128-CBC-SHA:TLSv1:128
- PSPKNimbostratus
Hello,
I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.
I tried to apply the above irule and it threw me the following error..
01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).
I really need an irule to help me log the incoming client TLS versions
Without SSL profile, You will not able to use CLIENTSSL_HANDSHAKE event based iRule.
FYI, The BIG-IP LTM Client SSL profile supports the POPS(995- Ports).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com