For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Jun 09, 2014

ServerSSL profile issues after upgrade to v11.4.1

Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve. Basically one of my ServerSSL profiles is failing after upgrade. If I remove the prof...
application delivery
devops
iRules
LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Jun 10, 2014

If i use DEFAULT:!TLSv1_1:!TLSv1_2 I can't see RC4-MD5 ciphers:

 

tmm --clientciphers 'DEFAULT:!TLSv1_1:!TLSv1_2'

 

ID SUITE BITS PROT METHOD CIPHER MAC KEYX

 

0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA

 

1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA

 

2: 47 AES128-SHA 128 SSL3 Native AES SHA RSA

 

3: 47 AES128-SHA 128 TLS1 Native AES SHA RSA

 

4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA

 

5: 53 AES256-SHA 256 SSL3 Native AES SHA RSA

 

6: 53 AES256-SHA 256 TLS1 Native AES SHA RSA

 

7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA

 

8: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA

 

9: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA

 

10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA

 

11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA

 

12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA

 

13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA

 

And still get error in log:

 

SSL Handshake failed for TCP from 172.31.81.95:65417 to 172.31.100.195:443

 

If use 'MEDIUM:!TLSv1_1:!TLSv1_2'

 

tmm --clientciphers 'MEDIUM:!TLSv1_1:!TLSv1_2'

 

ID SUITE BITS PROT METHOD CIPHER MAC KEYX

 

0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA

 

1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA

 

2: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA

 

3: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA

 

4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA

 

5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA

 

6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA

 

7: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA

 

8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA

 

9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA

 

I can see RC4-MD5 ciphers but get the following in the log:

 

Jun 10 09:44:48 bipscint2 notice tmm2[13424]: 01260018:5: Connection attempt to insecure SSL server (see RFC5746): 172.31.100.195:443

 

Jun 10 09:44:48 bipscint2 info tmm2[13424]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:65533 to 172.31.100.195:443

 

Cory_50405's avatar
Cory_50405
Icon for Noctilucent rankNoctilucent
Jun 10, 2014
If you use cipher string MEDIUM:!TLSv1_1:!TLSV1_2, and set secure renegotiation to 'request', does it work?