Logging more details when SSL handshake fails.

Question

In our F5 setup we are using TLS 1.2 with mutual authentication.  Our list of ciphers is limited to only those supported for TLS 1.2 in the clientssl profile.  The issue is when a browser connects with version &lt; TLS 1.2, we get an error logged "Connection error: ssl_hs_rxv2hello:8315: unsupported version (70)".  Now error code indicates unsupported protocol version.  
&nbsp;
Can the actual version requested be logged.  Better yet the cipher and version requested would be nice.  If this cannot be logged, can some new SSL events be added so that we can log such information via iRules.&nbsp;

youssef1 · Answer

Hi,
can you try this:
when CLIENTSSL_CLIENTHELLO {
    log local0. "From IP: [IP::client_addr] - cipher: [SSL::cipher name] - version: [SSL::cipher version]"
}

For more information:
https://devcentral.f5.com/wiki/iRules.SSL.ashx
regards

Forum Discussion

Logging more details when SSL handshake fails.

1 Reply

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Load Balancing IIS Servers

remove www from domain

Front azure traffic from F5 LTM onpremises

F5 BigIP APM VPN some LDAP field are base64 encoded

Two Arm Deployment mode using PBR

Related Content

iRule to log traffic details

ASN Details

APM-DHCP Access Policy Example and Detailed Instructions

request logging profile want to log client certificate details

SSL Profiles Part 1: Handshakes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS