Forum Discussion
AltocumulusQuestion on SSL Ciphers - Default SSL profile
Has anyone ever resolved any issues pre upgrades with the F5 regarding server side SSL Profiles and their incompatibility?
I was looking for a way to determine and find what servers will not be compatible with my default serverssl profiles after I upgrade my F5. With moving to the newer versions of code I understand that some SSL Ciphers will be added and others will be removed for security purposes.
I understand that in order to temporarily resolve these issues I can configure the "serverssl-insecure-compatible" option on a VIP. I have a couple hundred VIPs, is there any way to search what VIPs or Servers will not be compatible via the default SSL Server Side Profile in order to reduce impact to those VIPs?
jaikumar_f5Noctilucent
You can refer my script to have a test done on the 100 VIPs or even the backend servers.
https://devcentral.f5.com/questions/find-ssl-tls-versions-supported-script-54620
Serverssl profiles in 11.x by default negates sslv3. And allows all other Tls versions. So default serverssl should not be problem.
wlopezCirrocumulus
You can upload a qkview to iHealth and use the upgrade advisor feature to get some hints about possible issues that might arise when upgrading your current configuration to the target version.
Also, if you want to figure out what's currently being negotiated against the servers in each pool you can capture it with an iRule like this:
when SERVERSSL_HANDSHAKE { ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher version]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher name]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher bits]" 1 }
You can use the 'istats dump' command to view the accumulated stats. [root@f5bigip-lab:Active:In Sync] ~ istats dump /var/tmstat/cluster.tm2 [READONLY]: nextBlockId=7776, last update at 2017-08-28 18:05:31
all facts:
[ ltm.virtual.pool=/Common/VS_www.mysite.com ][256] = 724 (2017-08-28 18:05:31)
[ ltm.virtual.pool=/Common/VS_www.mysite.com ][ECDHE-RSA-AES256-SHA384] = 724 (2017-08-28 18:05:31)
[ ltm.virtual.pool=/Common/VS_www.mysite.com ][TLSv1.2] = 724 (2017-08-28 18:05:31)