Is there any way to test SSL/TLS version currently running through F5 so that I can disable/remove weak Ciphers and SSLV3/TLS1.0 and TLS.1.1 versions.
So I need to disable SSLv3/TLS1.0 and TLS1.1 but once I finish my change , I wana makre sure that F5 is no more processing and SSLv3 OR TLS1.0/TLS1.1 traffic and only supporting TLS1.2.
Do we have any tool or website to test or how we can test it through F5 CLI if there is any way
There are many free tools available to validate application security.
Example: openssl is inbuild tool to initiate the connection with specific protocol (sslv1,tls1.0, etc), this will helpful if your application is only expose to internal/intranet network.
Other free one Qualys ssl test., This will helpful to initiate all typen of test infact browser compatibility.
Hope this will help.
To test Ciphers you can use Wireshark to check the "Server Hello" as below to know F5 selected which ciphers from client cipher list negotiation or you can use a command in as below.
[root@lb2:Standby:In Sync] config # openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect 192.168.148.184:443
Cipher suites are configured per SSL Profiles(Client/Server), you need to type "TLSv1_2" in cipher strings as seen below to only support TLSv1_2 ciphers.
You can also check via CLI by typing command to check TLSv1.2 support ciphers only as below.
[root@lb2:Standby:In Sync] config # tmm --clientcipher TLSv1_2
Usually use nmap or openssl for internal sites and Qualys SSL Labs for external sites.
Sample NMAP Command
nmap -sV -p 443 --script ssl-cert,ssl-enum-ciphers <host>