Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Log TLS version in Irule for TCP VIP

ToonVA
Cirrus
Cirrus

Hi All,

I am working on a project to remove all TLS1.0 connection on F5 but need we need to know first who is still connection to certain VIP.

There is already an Irule defined by one of my colleagues but this only works when there is an HTTP Profile attached. We have also plain TCP VIP with SSL offloading and so i can't attach the below Irule to it.

when HTTP_REQUEST {
    if { [info exists logged] && $logged == 1 }{
         Do nothing. Already logged for this connection
    } else {
        set logged 1
        log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
    }
}

I am not good in scripting but i understand the logic above but need something similar without the "HTTP_Request" statement etc because the TCP VIP does not do HTTP traffic...

Can someone help me on this to make an Irule which will work with plain TCP ?

4 REPLIES 4

Rico
Cirrus
Cirrus

Try using the CLIENTSSL_HANDSHAKE event instead of the HTTP_REQUEST event. Documentation for it here

 

ToonVA
Cirrus
Cirrus

Thanks for the information, did some research and managed to get it running on our infra. Below the Irule i reworked for TCP enable VIP (without a http profile).

when CLIENTSSL_HANDSHAKE {
        if { [info exists logged] && $logged == 1 }{
             Do nothing. Already logged for this connection
        } else {
            set logged 1
            log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "
        }
    }

The "Waarde" in bold is the trigger i can use to check in the LTM file from \var\log\ltm

LTM Output example (masked some items with ): Line 429655: Jan 17 08:34:24 slot2/VCMP- info tmm[19343]: 01220002:6: Rule /Common/Irule_TLS1.0_CHECK_LOG_172... : WAARDE TLS1.0 check, from 10... to vip 172... Cipher ECDHE-RSA-AES128-CBC-SHA:TLSv1:128

Hello,

 

I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.

I tried to apply the above irule and it threw me the following error..

 

01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

 

I really need an irule to help me log the incoming client TLS versions

Samir
MVP
MVP

Without SSL profile, You will not able to use CLIENTSSL_HANDSHAKE event based iRule.

 

FYI, The BIG-IP LTM Client SSL profile supports the POPS(995- Ports).