Forum Discussion
NimbostratusSSLv3 vs TLS 1.2 discrimination with irule
Hello All might F5 gurus!
We are going to switch to TLS 1.2 in all of our F5 VIPs, but we want to place some sort of message for some months to any customer that still uses SSLv3, instead of showing an error. Meaning, if the browser is any version lower than TLS 1.2, we want to redirect them somewhere else.
After some digging in devcentral, I've come up with this irule:
when HTTP_REQUEST {
set cipherSuite [SSL::cipher version]
if { $cipherSuite equals "TLSv1.2" } {
pool web_portal_pool
}
else {
HTTP::redirect http://www.yahoo.com
}
}
To test this, I've opened sessions with IE, selecting SSLv3, TLS v1.0, TLS 1.1 and TLS 1.2 It seems to work, except for TLS 1.1. When I select that to be the protocol use in IE, I get:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://10.42.40.204 again. If this error persists, contact your site administrator.
Any idea on why is this happening?
Thanks! Fabian
9 Replies
ArieAltostratus
Is it possible that TLS 1.1 is indeed not enabled in IE?
cjuniorNacreous
maybe you could tell us if you are doing ssl offload and which ciphers are in the client ssl profile or parent.
Brad_ParkerCirrus
Can you share the cipher string are using? Is it possible your client doesn't have a TLSv1.1 cipher that matches your F5 cipher string?
- Dicky_Moe_13167
I tried DEFAULT
and also DEFAULT:@STRENGTH
Neither of the above strings worked.I've tried other websites directly with only TLS 1.1 enabled and it worked fine.
Fabian
natheCirrocumulus
My suggestion would be to start looking at an ssldump to see what ciphers the client is presenting. You can then cross reference the ciphers the f5 is presenting by running the tmm --clientciphers command (with your cipher strong).- cjuniorIs your backend connection encrypted? your backend server supports TLSv1.1? run this command in ssh: openssl s_client -connect : -tls1_1 , it works?
- Dicky_Moe_13167
Nathan, How can I do an ssldump? Wireshark? Is tmm --clientciphres the exact command I should execute in TMOSH?
CJunior, Its a tomcat server running on port 7777, in a windows machine. It works perfectly if I hit it directly.
Thanks, Fabian
- Arie
Fabian,
Here's F5's document on ssldump: https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
Also, F5 has a plugin for Wireshark that provides additional features:
https://devcentral.f5.com/articles/getting-started-with-the-f5-wireshark-plugin-on-windows
https://devcentral.f5.com/wiki/AdvDesignConfig.F5WiresharkPlugin.ashx
Dicky, What BigIP version and Hotfix are you using?
