Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TLS versions in ClientHello

Sam_D_
Nimbostratus
Nimbostratus

‎07-May-2020 01:24

I'm wondering how I can read TLS versions such as TLS version in Record Layer and the Max supported TLS version from ClientHello message by using:

when CLIENTSSL_CLIENTHELLO {

}

Labels:
0 Kudos
6 REPLIES 6

Samir
Nacreous
Nacreous

‎07-May-2020 04:26

* Below irule will help you to know the Client request with TLS version but log will be forwarded to "/var/tmp/ltm"

when HTTP_REQUEST { log local0. "Client address [IP::client_addr] and TLS version is [SSL::cipher version]" }

* Max Supported TLS version is TLS1.3 in v14.x+ , however tls1.2 is secure and highly used for all applications

The BIG-IP system has the following SSL profile limitations:

  • In the Client SSL profile, TLS 1.3 is disabled by default and not available for client connections. You can enable TLS 1.3 in the client SSL profile by removing the No TLSv1.3 option in the Enabled Options list; however, you should use TLS 1.3 only for testing and not in a production environment.
  • TLS 1.3 is *not* currently supported for the Server SSL profile
0 Kudos

Sam_D_
Nimbostratus
Nimbostratus

‎07-May-2020 04:46

@Samir thanks for your help! I'm interested in TLS version info from Client side, mainly from ClientHello during SSL handshake between client and BigIP

0 Kudos

Mayur_Sutare
MVP
MVP

‎07-May-2020 05:04

Please check below one if it helps.

 

​when CLIENTSSL_CLIENTHELLO {

log local0. [IP::client_addr]

log local0. [SSL::cipher version]

}

Mayur​

0 Kudos

Samir
Nacreous
Nacreous
In response to Mayur_Sutare

‎07-May-2020 05:12

Generally we see TLS/SSL renegotiation in ssldump. I don't think record-layer TLS version will display via iRule. I believe SSL debug has to enable to check or capture packet via ssldump..

 

 

0 Kudos

jaikumar_f5
MVP
MVP

‎08-May-2020 19:31

May we know what is the requirement here, this should be a troubleshooting via wireshark. The Client will always give the lowest supported protocol on the record layer and in the handshake protocol with the highest. There should not be any handshake failures because of record layer protocol.

 

If you still want it, you have to dissect the packets like below,

 

https://devcentral.f5.com/s/articles/advanced-irules-binary-scan-20453

0 Kudos

Sam_D_
Nimbostratus
Nimbostratus
In response to jaikumar_f5

‎10-May-2020 23:25

We are investigating a reported issue from our customer that they often receives Connection Reset after SSL Handshake. we suspect that it is related to the outdated version TLSv1.0/1 is being used by that customer either in TLS version for Record Layer or with the Max supported TLS version in the Client-Hello message itself

0 Kudos
Copyright © 2022 Khoros, LLC