How much of my traffic is still SSLv3?

When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%.

Blue: Internet at large. Red: F5 devices.

Even though the POODLE vulnerability was never seen as an exploit against servers in the wild, system administrators have been keen to increase their security posture against it. And, because of POODLE, Ivan Ristić’s SSL labs system tester will no longer provide A grades to sites that support SSLv3.

So, customers have asked me, “Hey, David, can I disable SSLv3 yet?”  My answer has been, “Yes, you can. Unless you still have a lot of SSLv3 traffic. Do you?”

And then they yelled, “WELL, I DON’T KNOW, BECAUSE THE F5 DOESN’T TELL ME!”

Actually, the F5 can tell you if you know where to look. The statistics aren't attached to the application's virtual server: they are collated at the associated client-ssl profile. Suppose that a customer has a created a client-ssl profile named 'ssl-exchange-2'. He or she can then query the protocol counters via the following tmsh command.

[davidh@murky:Active] ~ # tmsh show ltm profile client-ssl ssl-exchange-2

The output will include the protocol counts (excerpted here).

--------------------------------------------------------------------------------
Ltm::ClientSSL Profile: ssl-exchange-2                         
--------------------------------------------------------------------------------
Virtual Server Name                                               N/A
                                                            
Bytes                                                         Inbound  Outbound
  Encrypted                                                      5.8M     14.7M
  Decrypted                                                      1.1M      2.0M

...
                                                            
Protocol                                                    
  SSL Protocol Version 2                                            0
  SSL Protocol Version 3                                           21
  TLS Protocol Version 1.0                                         32
  TLS Protocol Version 1.1                                         54
  TLS Protocol Version 1.2                                        282
  DTLS Protocol Version 1                                           0

In order for a customer to know if he can safely disable SSLv3, he has to know how much SSLv3 his site is still processing. If it’s a non-trivial amount, then they’ll probably want to wait. Google, for example, was behind the POODLE announcement, but they still accept SSLv3.

F5 has some customers who report that up to 15% of their traffic is SSLv3. They aren’t willing to trade that 15% for an A grade from SSL labs. Most customers have no idea what their traffic split is.

The tmsh command above can give you the counts you need, but just for fun, let’s cook up an iRule that will categorize SSL traffic using the iStats statistical aggregator doo-dad. The iStats feature is so cool that F5 barely documents it or promotes it in any way.

With iStats we can create customized statistics, and associate those stats with existing F5 configuration objects. So the heart of our iRule will be this little phrase:

when CLIENTSSL_HANDSHAKE {
        ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1
    }

The code phrase simply creates statistical values named ‘SSLv3’, ‘TLSv1’, ‘TLSv1_1’ and ‘TLSv1_2’ and associates them with the virtual server (returned by [virtual name]) that the iRule is attached to at runtime.

If we were to attach that iRule snippet to your virtual server named “stdsslvip,” then we could actually see the statistics with a normal ‘tmsh show’ command! 

[davidh@murky:Active] ~ # tmsh show ltm virtual stdsslvip

and the result looks like this:

------------------------------------------------------------------
Ltm::Virtual Server: stdsslvip 
------------------------------------------------------------------
Status                         
  Availability     : available 
  State            : enabled   
  Reason           : The virtual server is available
  CMP              : enabled   
  CMP Mode         : all-cpus  
  Destination      : 192.168.2.189:443
                               
Traffic                             ClientSide  Ephemeral  General
  Bits In                               872.0K          0        -
  Bits Out                                3.7M          0        -
  Packets In                               943          0        -
  Packets Out                              871          0        -

User-defined  Value
  SSLv3     21
  TLSv1     32
  TLSv1.1   54
  TLSv1.2  282

Binding the statistics directly to the virtual server is pretty neat, but by pulling in the Google Charts javascript widget, we can have the iRule display a cool, interactive graph. We’ll trigger the graph by watching for the URL “/sslversions”.

In our browser, we enter https://<stdsslvip>/sslversions.

And then, voila, we get a pretty page back. This is the kind of page that we can include in our weekly TPS report to our so-called superior.

If we want to query more than one virtual server at at time, we can use the handy-dandy istats dump command like this:

[davidh@murky:Active] ~ # istats dump

all facts:

[ ltm.virtual=/Common/stdsslvip ][TLSv1.1] = 54 (2015-09-01 13:52:20)
[ ltm.virtual=/Common/stdsslvip ][SSLv3] = 21 (2015-09-01 13:52:20)
[ ltm.virtual=/Common/stdsslvip ][TLSv1.2] = 282 (2015-09-01 13:52:20)
[ ltm.virtual=/Common/stdsslvip ][TLSv1] = 32 (2015-09-01 13:52:20)

By using the iRule, you can tell how much of your traffic is SSLv3. Once you have the breakdown of SSL versions, you can make knowledgeable decision about whether or not to disable SSLv3.

My recommendation is that if even 5% of your traffic is SSLv3, keep it enabled. POODLE was mostly a browser issue anyway. Just be sure that you use a stream cipher like RC4. You can find more information about how configure SSLv3 with RC4 from Jeff Costlow’s article: SSLv3 POODLE mitigation recommendations.

And finally, here's a link to the iRule code snippet.

https://devcentral.f5.com/s/articles/categorize-ssl-traffic-by-version-display-as-graph

Use as you see fit, and if you have any modifications send them my way and I'll merge them into the codeshare.

Updated Jun 06, 2023
Version 2.0

Was this article helpful?

8 Comments

Sort By
  • shx_209705's avatar
    shx_209705
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2015
    Is it possible to use a similar way to graph the ciphers actually negotiated? I'd like to have something like this wikimedia dashboard https://tessera.wikimedia.org/dashboards/6/
  • Chase_Abbott's avatar
    Chase_Abbott
    Icon for Employee rankEmployee
    Sep 09, 2015
    @shx; If you look at the above code, you'll see SSL::Cipher Version used to split out SSL/TLS versions. We also have SSL::Cipher Name available which would allow you to display the cipher used. Check out David's Codeshare for the full script and then go here: *https://clouddocs.f5.com/api/irules/SSL__cipher.html* for more information on available SSL commands that would beef this report up to something similar to the pretty sweet wiki page.
  • MegaZone's avatar
    MegaZone
    Icon for SIRT rankSIRT
    Sep 11, 2015
    Note that PCI DSS 3.1 requires SSLv3 and TLSv1.0 to be removed from any existing environments by June 30, 2016. And they must not be introduced to any *new* environments at this point. https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information_Supplement_v1.pdf Be aware of this if PCI is a requirement in your environment.
  • Chris_17748's avatar
    Chris_17748
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2015
    What is the timeframe for the protocol counts? Is it something along the lines of when the box was last rebooted or is there a more fixed time like 30 days? This is important as it helps to understand how long of a period the data is spread over and given the SSLv3 traffic should be shrinking I am more interested in more recent traffic. I can always generate the report weekly and use that to see the trend, but if I don't have to that would be great.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Apr 12, 2016
    Another easy solution I cam across that works well. tmsh show ltm profile client-ssl | grep 'Ltm::ClientSSL\|SSL Protocol Version 3'
  • Kris_20135's avatar
    Kris_20135
    Icon for Nimbostratus rankNimbostratus
    Nov 30, 2016

    I don't see an answer to the question that was asked above....what is the timeframe for this data?

     

  • Kris_20135's avatar
    Kris_20135
    Icon for Nimbostratus rankNimbostratus
    Dec 01, 2016

    This is very helpful. Does anyone know if this info can also be obtained via the iControl REST?