Forum Discussion

Pat_70435's avatar
Pat_70435
Icon for Altocumulus rankAltocumulus
Aug 28, 2017

Question on SSL Ciphers - Default SSL profile

Has anyone ever resolved any issues pre upgrades with the F5 regarding server side SSL Profiles and their incompatibility?   I was looking for a way to determine and find what servers will not be ...
wlopez's avatar
wlopez
Icon for Cirrocumulus rankCirrocumulus
Aug 28, 2017

You can upload a qkview to iHealth and use the upgrade advisor feature to get some hints about possible issues that might arise when upgrading your current configuration to the target version.

 

Also, if you want to figure out what's currently being negotiated against the servers in each pool you can capture it with an iRule like this:

 

when SERVERSSL_HANDSHAKE { ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher version]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher name]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher bits]" 1 }

 

You can use the 'istats dump' command to view the accumulated stats. [root@f5bigip-lab:Active:In Sync] ~ istats dump /var/tmstat/cluster.tm2 [READONLY]: nextBlockId=7776, last update at 2017-08-28 18:05:31

 

all facts:

 

[ ltm.virtual.pool=/Common/VS_www.mysite.com ][256] = 724 (2017-08-28 18:05:31)

 

[ ltm.virtual.pool=/Common/VS_www.mysite.com ][ECDHE-RSA-AES256-SHA384] = 724 (2017-08-28 18:05:31)

 

[ ltm.virtual.pool=/Common/VS_www.mysite.com ][TLSv1.2] = 724 (2017-08-28 18:05:31)