Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

Log TLS version in Irule for TCP VIP

ToonVA
Cirrus
Cirrus

‎16-Jan-2019 06:25 - last edited on ‎01-Jun-2023 16:24 by Fog

Hi All,

I am working on a project to remove all TLS1.0 connection on F5 but need we need to know first who is still connection to certain VIP.

There is already an Irule defined by one of my colleagues but this only works when there is an HTTP Profile attached. We have also plain TCP VIP with SSL offloading and so i can't attach the below Irule to it. 

when HTTP_REQUEST {
    if { [info exists logged] && $logged == 1 }{
         Do nothing. Already logged for this connection
    } else {
        set logged 1
        log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
    }
}

I am not good in scripting but i understand the logic above but need something similar without the "HTTP_Request" statement etc because the TCP VIP does not do HTTP traffic...

Can someone help me on this to make an Irule which will work with plain TCP ?

Labels:
0 Kudos
4 REPLIES 4

Rico
Cirrus
Cirrus

‎16-Jan-2019 06:46

Try using the CLIENTSSL_HANDSHAKE event instead of the HTTP_REQUEST event. Documentation for it here

 

0 Kudos

ToonVA
Cirrus
Cirrus

‎16-Jan-2019 22:42 - last edited on ‎01-Jun-2023 16:24 by Fog

Thanks for the information, did some research and managed to get it running on our infra. Below the Irule i reworked for TCP enable VIP (without a http profile).

when CLIENTSSL_HANDSHAKE {
        if { [info exists logged] && $logged == 1 }{
             Do nothing. Already logged for this connection
        } else {
            set logged 1
            log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "
        }
    }

The "Waarde" in bold is the trigger i can use to check in the LTM file from \var\log\ltm

LTM Output example (masked some items with ): Line 429655: Jan 17 08:34:24 slot2/VCMP- info tmm[19343]: 01220002:6: Rule /Common/Irule_TLS1.0_CHECK_LOG_172... : WAARDE TLS1.0 check, from 10... to vip 172... Cipher ECDHE-RSA-AES128-CBC-SHA:TLSv1:128

0 Kudos

PSPK
Nimbostratus
Nimbostratus
In response to ToonVA

‎16-Dec-2020 13:34

Hello,

 

I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.

I tried to apply the above irule and it threw me the following error..

 

01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

 

I really need an irule to help me log the incoming client TLS versions

0 Kudos

Samir
MVP
MVP

‎17-Dec-2020 19:15

Without SSL profile, You will not able to use CLIENTSSL_HANDSHAKE event based iRule.

 

FYI, The BIG-IP LTM Client SSL profile supports the POPS(995- Ports).

 

 

0 Kudos
Copyright © 2023 Khoros, LLC