After updating my supported cipher/protocol list on the default clientssl profile on my BigIP LTM: NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:-RC4:@SPEED I'm no longer able to connect the F5 iRule editor to my BigIP. Is 0.11.6.1 only supporting TLS1.0?

Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.

TLS support in iRule editor

mo_99289

Historic F5 Account

Feb 18, 2016

when using the cipher string you provided, the cipher used by default clientssl profile are below, doesn't contain TLS1.0. so it might be the cause. you could capture ssl session btw iRule Editor and the bigip to find out more info.

                  ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
 6: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 8:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS   
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS   
10:    56  DHE-DSS-AES256-SHA               256  TLS1.1  Native  AES       SHA     DHE/DSS   
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES       SHA     DHE/DSS   
12:    56  DHE-DSS-AES256-SHA               256  DTLS1   Native  AES       SHA     DHE/DSS   
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA  
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA  
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.1  Native  AES       SHA     ECDH_RSA  
18: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA  
19: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.1  Native  AES       SHA     ECDH_ECDSA
20: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES       SHA     ECDH_ECDSA
21:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
22:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
23:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
24:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
25:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
26: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
27: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA 
28: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  Native  DES       SHA     ECDHE_ECDSA
29: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  Native  DES       SHA     ECDHE_ECDSA
30: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.1  Native  DES       SHA     ECDH_RSA  
31: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.2  Native  DES       SHA     ECDH_RSA  
32: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.1  Native  DES       SHA     ECDH_ECDSA
33: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.2  Native  DES       SHA     ECDH_ECDSA
34:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA       
35:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA       
36:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA       
37: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
38: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
39: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
40: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
41: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
42: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
43: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
44: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
45:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS   
46:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS   
47:    50  DHE-DSS-AES128-SHA               128  TLS1.1  Native  AES       SHA     DHE/DSS   
48:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES       SHA     DHE/DSS   
49:    50  DHE-DSS-AES128-SHA               128  DTLS1   Native  AES       SHA     DHE/DSS   
50: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA  
51: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
52: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA  
53: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
54: 49166  ECDH-RSA-AES128-SHA              128  TLS1.1  Native  AES       SHA     ECDH_RSA  
55: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES       SHA     ECDH_RSA  
56: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.1  Native  AES       SHA     ECDH_ECDSA
57: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES       SHA     ECDH_ECDSA
58:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
59:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
60:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
61:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
62:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
63:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
64:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
65:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA       
66:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA       
67:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
68:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
69:    65  CAMELLIA128-SHA                  128  TLS1.1  Native  CAMELLIA  SHA     RSA       
70:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA

Kai_Wilke
MVP
Feb 18, 2016
Hi Aaron,

the iRule Editor is unfortunately using very unsecure SSL/TLS libs and/or settings.

Beside of the missing TLS1.1, TLS1.2 support, the iRule editor is even not checking for trusted certificates, name matchings, and revocation information. So if security is a concern, then better use a desktop based SSL-Inspection proxy (e.g. Fiddler2), to connect the iRule Editor to your F5.

Cheers, Kai
AaronMLong_1021
Cirrus
Feb 18, 2016
Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.

Forum Discussion

TLS support in iRule editor

Recent Discussions

TCP Out-of-order, TCP Dup ACK, and TCP Retransmission packets are displayed.

APM with EntraID as idP / request signed

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Related Content

irule editor

F5 Access support for MS Intune

Does LTM support external GeoIP Database?

how many concurrency rest api request LTM,GTM can support

Irule editor question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS