Forum Discussion

PSPK's avatar
PSPK
Icon for Nimbostratus rankNimbostratus
Dec 16, 2020

Log the TLS version of a client connecting to a TCP VIP with no HTTP or client-ssl Profile

Hello,

 

I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.

There are several clients that makes SSL connections to this VIP.

I need to know the client SSL/TLS version.

 

I tried to apply the below irule and it threw me the following error..

 

when CLIENTSSL_HANDSHAKE {

    if { [info exists logged] && $logged == 1 }{

       #Do nothing. Already logged for this connection

    } else {

      set logged 1

      log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "

    }

  }

 

01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

 

I really need an irule to help me log the incoming client TLS versions

 

Please help.

 

 

Thanks :)

application delivery
Do
iRules
LTM
security
TLS Verison

2 Replies

Sort By
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Dec 17, 2020

    Hi  ,

     

    This cannot be achieved with your existing setup. You have to offload the traffic to get that information. It clearly tells you on the log error message.

     

    01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Dec 17, 2020

    Hi, Fully agreed with  , As your setup is SSL Pass-through, BigIP is not participating in encryption. You should map associated profiles on the VS to understand the traffic being processed. Here as you want F5 to inspect SSL Handshake, you should configure client SSL profile on it.