Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

TLS/SSL Version Test Tool

Korai
Nimbostratus
Nimbostratus

‎02-Apr-2020 15:09

Hi,

 

Is there any way to test SSL/TLS version currently running through F5 so that I can disable/remove weak Ciphers and SSLV3/TLS1.0 and TLS.1.1 versions.

So I need to disable SSLv3/TLS1.0 and TLS1.1 but once I finish my change , I wana makre sure that F5 is no more processing and SSLv3 OR TLS1.0/TLS1.1 traffic and only supporting TLS1.2.

 

Do we have any tool or website to test or how we can test it through F5 CLI if there is any way

Labels:
0 Kudos
5 REPLIES 5

Samir
MVP
MVP

‎02-Apr-2020 19:42

There are many free tools available to validate application security.

Example: openssl is inbuild tool to initiate the connection with specific protocol (sslv1,tls1.0, etc), this will helpful if your application is only expose to internal/intranet network.

Other free one Qualys ssl test., This will helpful to initiate all typen of test infact browser compatibility.

https://www.ssllabs.com/ssltest/

Hope this will help.​

Rahul_Kaul
Cirrus
Cirrus

‎03-Apr-2020 06:39

Hi Korai,

 

To test Ciphers you can use Wireshark to check the "Server Hello" as below to know F5 selected which ciphers from client cipher list negotiation or you can use a command in as below.

[root@lb2:Standby:In Sync] config # openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect 192.168.148.184:443

 

0691T000008GtsHQAS.jpg

Cipher suites are configured per SSL Profiles(Client/Server), you need to type "TLSv1_2" in cipher strings as seen below to only support TLSv1_2 ciphers.

0691T000008GtrnQAC.jpg

 

You can also check via CLI by typing command to check TLSv1.2 support ciphers only as below.

[root@lb2:Standby:In Sync] config # tmm --clientcipher TLSv1_2

0 Kudos

LowellF
Nimbostratus
Nimbostratus

‎03-Apr-2020 08:29

testssl is good for testing without external access. https://testssl.sh

0 Kudos

Jcooney-CH
Nimbostratus
Nimbostratus

‎03-Apr-2020 09:07

Usually use nmap or openssl for internal sites and Qualys SSL Labs for external sites.

 

Sample NMAP Command

nmap -sV -p 443 --script ssl-cert,ssl-enum-ciphers <host>

 

References

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

https://www.ssllabs.com/

 

 

0 Kudos

Korai
Nimbostratus
Nimbostratus

‎03-Apr-2020 19:53

Thanks, Let me see how its goes

0 Kudos
Copyright © 2023 Khoros, LLC