Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Cipher negotiated between F5 and Node

Go to solution
prashanth
Nimbostratus
Nimbostratus

‎04-Dec-2020 05:59

Hi There,

We are currently in the process of upgrading F5 from v12 to v13. We came across an issue due to depreciated ciphers. Some of our VIPs were using the DEFAULT cipher suite and since some legacy ciphers were depreciated in the new version, caused an outage for us.

 

In order to mitigate this issue in future upgrades is there any way to check all the ciphers negotiated between the F5 and Nodes before hand, hence we can verify this against the supported ciphers in the latest version.

 

Appreciate any other solutions that can mitigate the issue for our scenario.

 

Thanks in Advance

 

Cheers

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
jaikumar_f5
MVP
MVP

‎06-Dec-2020 00:25

Here's what you could had done,

1. ​Run the tmm --clientciphers <suite> command in both the versions and see the difference. Don't forget to frame the command with your existing cipher suite.

​2. As you suspect the issue is on the server side, you can run the same command like,

tmm ---serverciphers <suite> and identify the differences. If it's DEFAULT, use DEFAULT.

3. Other option is to use the openssl/curl command to be run against your nodes to see which cipher was selected. I prefer openssl.

4. The easiest way would be to map an irule to log the ciphers. If you want client side, use clientssl_handshake event, since you need on serverside, use serverssl_handshake event and log below entries.

SSL Version - [SSL::cipher version]

Cipher Name - [SSL::cipher name]

Bits Strength - [SSL::cipher bits]

If you need help in framing Irule, let us know.​

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Samir
MVP
MVP

‎04-Dec-2020 09:58

1. Generate the qkview and upload the ihealth.f5.com

​2. Open support care for most stable version in v13.x

3. Do the proper plan before upgrade.

Thanks​

0 Kudos

Go to solution
prashanth
Nimbostratus
Nimbostratus
In response to Samir

‎04-Dec-2020 17:11

i think you are not getting my question here, my question is more simple though, is there any commands available to check the cipher negotiated between F5 and backend node in F5?

0 Kudos

Go to solution
Samir
MVP
MVP
In response to prashanth

‎04-Dec-2020 18:51

Capture the packet via ssldump and see the ​negotiated cipher details.

0 Kudos

Go to solution
prashanth
Nimbostratus
Nimbostratus

‎05-Dec-2020 02:12

This is also a known solution, even without SSLdump just with simple curl command we can find the cipher. But my question is whether I can see the cipher negotiated with ALL THE NODES with F5 via any command.

0 Kudos

Go to solution
jaikumar_f5
MVP
MVP

‎06-Dec-2020 00:25

Here's what you could had done,

1. ​Run the tmm --clientciphers <suite> command in both the versions and see the difference. Don't forget to frame the command with your existing cipher suite.

​2. As you suspect the issue is on the server side, you can run the same command like,

tmm ---serverciphers <suite> and identify the differences. If it's DEFAULT, use DEFAULT.

3. Other option is to use the openssl/curl command to be run against your nodes to see which cipher was selected. I prefer openssl.

4. The easiest way would be to map an irule to log the ciphers. If you want client side, use clientssl_handshake event, since you need on serverside, use serverssl_handshake event and log below entries.

SSL Version - [SSL::cipher version]

Cipher Name - [SSL::cipher name]

Bits Strength - [SSL::cipher bits]

If you need help in framing Irule, let us know.​

0 Kudos

Go to solution
prashanth
Nimbostratus
Nimbostratus

‎08-Dec-2020 05:00

Thank You Jaikumar for the reply.

0 Kudos
Copyright © 2023 Khoros, LLC