Forum Discussion
MVPSSL cipher
MVPI set this up in my lab and it works. BIG-IP Version 21.0.
I created two virtuals.
The first virtual has a default SSL profile on the client side and a serverside profile that only has TLS 1 enabled. This has the IP 192.168.57.82
A second has a clientssl profile that will only accept TLS 1 and has an iRule attached that will respond 200 OK to any HTTP request. This has the IP 2.2.2.2.
This is the traffic flow:
First test.
cURL from F5 to Virtual Server 2
Result: Only TLS 1 works, success.
[root@awaf:Active:Standalone] config # openssl s_client -connect 2.2.2.2:443 -tls1
CONNECTED(00000003)
depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
REMOVED
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1461 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Second test
cURL from F5 to Virtual Server 1, get proper HTTP response and verify TLS 1 from SNAT address to 2.2.2.2
Result:
[root@awaf:Active:Standalone] config # curl https://192.168.57.82 -k
<html>
<head>
<title>BIG-IP</title>
</head>
<body>
200 OK
</body>
</html>
F5 to backend - Client Hello only TLS 1
Backend response - Server Hello only TLS 1
This is my serverssl profile
Here is my complete config as AS3 for you to replay and to test.
I'd start with the first test in your environment to make sure the backend really speaks TLS 1.
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"TLS1_TEST": {
"class":"Tenant",
"responder_service": {
"class": "Application",
"service_http_200": {
"class": "Service_HTTPS",
"virtualPort": 443,
"redirect80": false,
"serverTLS": "frontendtls",
"virtualAddresses": [
"2.2.2.2"
],
"iRules": [{
"use": "rule_http_200"
}]
},
"frontendtls": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "default_cert"
}
],
"ssl3Enabled": false,
"tls1_0Enabled": true,
"tls1_1Enabled": false,
"tls1_2Enabled": false,
"tls1_3Enabled": false,
"dtlsEnabled": false,
"dtls1_2Enabled": false
},
"default_cert": {
"class": "Certificate",
"certificate": {"bigip":"/Common/default.crt"},
"privateKey": {"bigip":"/Common/default.key"}
},
"rule_http_200": {
"class": "iRule",
"iRule": {
"base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHsKICAgICAgPGh0bWw+CiAgICAgICAgIDxoZWFkPgogICAgICAgICAgICA8dGl0bGU+QklHLUlQPC90aXRsZT4KICAgICAgICAgPC9oZWFkPgogICAgICAgICA8Ym9keT4KICAgICAgICAgICAgMjAwIE9LCiAgICAgICAgIDwvYm9keT4KICAgICAgPC9odG1sPgogICB9Cn0="
}
}
},
"forwarding_service": {
"class": "Application",
"service_http": {
"class": "Service_HTTPS",
"virtualPort": 443,
"redirect80": false,
"serverTLS": { "bigip": "/Common/clientssl" },
"clientTLS": "backendtls",
"virtualAddresses": [
"192.168.57.82"
],
"iRules": [{
"use": "rule_vs_forward"
}]
},
"backendtls": {
"class": "TLS_Client",
"ssl3Enabled": false,
"tls1_0Enabled": true,
"tls1_1Enabled": false,
"tls1_2Enabled": false,
"tls1_3Enabled": false,
"dtlsEnabled": false,
"dtls1_2Enabled": false
},
"rule_vs_forward" : {
"class": "iRule",
"iRule": {
"base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogIHZpcnR1YWwgL1RMUzFfVEVTVC9yZXNwb25kZXJfc2VydmljZS9zZXJ2aWNlX2h0dHBfMjAwCn0="
}
}
}
}
}
}
Good luck
Daniel
