I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.
There are several clients that makes SSL connections to this VIP.
I need to know the client SSL/TLS version.
I tried to apply the below irule and it threw me the following error..
when CLIENTSSL_HANDSHAKE {
if { [info exists logged] && $logged == 1 }{
#Do nothing. Already logged for this connection
} else {
set logged 1
log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "
}
}
01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).
I really need an irule to help me log the incoming client TLS versions
17-Dec-202007:22 - last edited on 24-Mar-202201:24 by li-migration
Hi ,
This cannot be achieved with your existing setup. You have to offload the traffic to get that information. It clearly tells you on the log error message.
01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).
17-Dec-202008:34 - last edited on 24-Mar-202201:24 by li-migration
Hi, Fully agreed with , As your setup is SSL Pass-through, BigIP is not participating in encryption. You should map associated profiles on the VS to understand the traffic being processed. Here as you want F5 to inspect SSL Handshake, you should configure client SSL profile on it.
