Forum Discussion
TLS support in iRule editor
After updating my supported cipher/protocol list on the default clientssl profile on my BigIP LTM:
NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:-RC4:@SPEED
I'm no longer able to connect the F5 iRule editor to my BigIP. Is 0.11.6.1 only supporting TLS1.0?
Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.
- mo_99289Historic F5 Account
when using the cipher string you provided, the cipher used by default clientssl profile are below, doesn't contain TLS1.0. so it might be the cause. you could capture ssl session btw iRule Editor and the bigip to find out more info.
ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 6: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDHE_ECDSA 7: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDHE_ECDSA 8: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS 9: 106 DHE-DSS-AES256-SHA256 256 TLS1.2 Native AES SHA256 DHE/DSS 10: 56 DHE-DSS-AES256-SHA 256 TLS1.1 Native AES SHA DHE/DSS 11: 56 DHE-DSS-AES256-SHA 256 TLS1.2 Native AES SHA DHE/DSS 12: 56 DHE-DSS-AES256-SHA 256 DTLS1 Native AES SHA DHE/DSS 13: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA 14: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA 15: 49194 ECDH-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDH_RSA 16: 49190 ECDH-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDH_ECDSA 17: 49167 ECDH-RSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDH_RSA 18: 49167 ECDH-RSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDH_RSA 19: 49157 ECDH-ECDSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDH_ECDSA 20: 49157 ECDH-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDH_ECDSA 21: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 22: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 23: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 24: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 25: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 26: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 28: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_ECDSA 29: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_ECDSA 30: 49165 ECDH-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDH_RSA 31: 49165 ECDH-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDH_RSA 32: 49155 ECDH-ECDSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDH_ECDSA 33: 49155 ECDH-ECDSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDH_ECDSA 34: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 35: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 36: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA 37: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 38: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 39: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 40: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA 41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 42: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 43: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.1 Native AES SHA ECDHE_ECDSA 44: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDHE_ECDSA 45: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS 46: 64 DHE-DSS-AES128-SHA256 128 TLS1.2 Native AES SHA256 DHE/DSS 47: 50 DHE-DSS-AES128-SHA 128 TLS1.1 Native AES SHA DHE/DSS 48: 50 DHE-DSS-AES128-SHA 128 TLS1.2 Native AES SHA DHE/DSS 49: 50 DHE-DSS-AES128-SHA 128 DTLS1 Native AES SHA DHE/DSS 50: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA 51: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA 52: 49193 ECDH-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDH_RSA 53: 49189 ECDH-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDH_ECDSA 54: 49166 ECDH-RSA-AES128-SHA 128 TLS1.1 Native AES SHA ECDH_RSA 55: 49166 ECDH-RSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDH_RSA 56: 49156 ECDH-ECDSA-AES128-SHA 128 TLS1.1 Native AES SHA ECDH_ECDSA 57: 49156 ECDH-ECDSA-AES128-SHA 128 TLS1.2 Native AES SHA ECDH_ECDSA 58: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 59: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 60: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 61: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 62: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 63: 135 DHE-DSS-CAMELLIA256-SHA 256 TLS1.1 Native CAMELLIA SHA DHE/DSS 64: 135 DHE-DSS-CAMELLIA256-SHA 256 TLS1.2 Native CAMELLIA SHA DHE/DSS 65: 132 CAMELLIA256-SHA 256 TLS1.1 Native CAMELLIA SHA RSA 66: 132 CAMELLIA256-SHA 256 TLS1.2 Native CAMELLIA SHA RSA 67: 68 DHE-DSS-CAMELLIA128-SHA 128 TLS1.1 Native CAMELLIA SHA DHE/DSS 68: 68 DHE-DSS-CAMELLIA128-SHA 128 TLS1.2 Native CAMELLIA SHA DHE/DSS 69: 65 CAMELLIA128-SHA 128 TLS1.1 Native CAMELLIA SHA RSA 70: 65 CAMELLIA128-SHA 128 TLS1.2 Native CAMELLIA SHA RSA
Hi Aaron,
the iRule Editor is unfortunately using very unsecure SSL/TLS libs and/or settings.
Beside of the missing TLS1.1, TLS1.2 support, the iRule editor is even not checking for trusted certificates, name matchings, and revocation information. So if security is a concern, then better use a desktop based SSL-Inspection proxy (e.g. Fiddler2), to connect the iRule Editor to your F5.
Cheers, Kai
Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com