Forum Discussion
PQC: a blindspot (logging) on BIG-IP - RFE
On BIG-IP it's currently not possible to log information such as proposed and negotiated Key Exchange Algorithm. No available iRule commands for that.
On the other hand, NGINX do offer the possible to log it ($ssl_curve/$ssl_curves variables).
I've got a RFE created for the following:
Provide new iRule commands in events CLIENTSSL_CLIENTHELLO and CLIENTSSL_HANDSHAKE that outputs the Key Exchange Algorithm:
- list of proposed (by the SSL client) Key Exchange Algorithms in CLIENTSSL_CLIENTHELLO
- negotiated Key Exchange Algorithms in CLIENTSSL_HANDSHAKE
=>
RFE ID2347153 โ "iRule command equivalent to NGINX's $ssl_curve for logging the negotiated KEM/DH group"
Don't hesitate to open a support case to bind it to that RFE, the more we are the higher priority will be assigned to implement it (hopefully). ๐
Alexandre
2 Replies
you can try to log it using SSL::cipher object
- amolari
Cirrostratus
That won't work, as per the note from F5 support:
What IS Available via iRules on BIG-IP 17.5.1
1. Log negotiated cipher suite and TLS version (post-handshake) Per KB K86071030:
when CLIENTSSL_HANDSHAKE { log local0. "Client: [IP::client_addr] - TLS: [SSL::cipher version] - Cipher: [SSL::cipher name] - Bits: [SSL::cipher bits]" }
Limitation: [SSL::cipher name] returns the TLS 1.3 cipher suite (e.g., TLS_AES_128_GCM_SHA256), which does not include the key exchange group. In TLS 1.3, the cipher suite and key exchange group are decoupled by design.
2. Log client's offered cipher list (pre-handshake) Per KB K10452619:
when CLIENTSSL_CLIENTHELLO { log local0. "Client: [IP::client_addr] - OfferedCiphers: [SSL::cipher clientlist]" }
Limitation: [SSL::cipher clientlist] returns cipher suite hex codes from the ClientHello โ it does not expose the supported_groups or key_share TLS extensions. The PQC group identifier (e.g., 0x11EC for X25519MLKEM768) is advertised in the key_share extension, which is not accessible via this command.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com