Forum Discussion

Korai's avatar
Korai
Icon for Nimbostratus rankNimbostratus
Apr 02, 2020

TLS/SSL Version Test Tool

Hi,

 

Is there any way to test SSL/TLS version currently running through F5 so that I can disable/remove weak Ciphers and SSLV3/TLS1.0 and TLS.1.1 versions.

So I need to disable SSLv3/TLS1.0 and TLS1.1 but once I finish my change , I wana makre sure that F5 is no more processing and SSLv3 OR TLS1.0/TLS1.1 traffic and only supporting TLS1.2.

 

Do we have any tool or website to test or how we can test it through F5 CLI if there is any way

  • There are many free tools available to validate application security.

    Example: openssl is inbuild tool to initiate the connection with specific protocol (sslv1,tls1.0, etc), this will helpful if your application is only expose to internal/intranet network.

    Other free one Qualys ssl test., This will helpful to initiate all typen of test infact browser compatibility.

    https://www.ssllabs.com/ssltest/

    Hope this will help.​

  • Hi Korai,

     

    To test Ciphers you can use Wireshark to check the "Server Hello" as below to know F5 selected which ciphers from client cipher list negotiation or you can use a command in as below.

    [root@lb2:Standby:In Sync] config # openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect 192.168.148.184:443

     

    Cipher suites are configured per SSL Profiles(Client/Server), you need to type "TLSv1_2" in cipher strings as seen below to only support TLSv1_2 ciphers.

     

    You can also check via CLI by typing command to check TLSv1.2 support ciphers only as below.

    [root@lb2:Standby:In Sync] config # tmm --clientcipher TLSv1_2

  • testssl is good for testing without external access. https://testssl.sh

  • Usually use nmap or openssl for internal sites and Qualys SSL Labs for external sites.

     

    Sample NMAP Command

    nmap -sV -p 443 --script ssl-cert,ssl-enum-ciphers <host>

     

    References

    https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

    https://www.ssllabs.com/