Log SSL Cipher Version and User Agent Info
Hi I need to log if there are connections using SSLv3 Cipher before disabling it. I'm using this code: when CLIENTSSL_HANDSHAKE { ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1 } if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { set invalid_ssl 1 } else { set invalid_ssl 0 } } That way I get the usage of the different Cipher versions but there isn't any information about OS or Browser. That info is in [HTTP::header User-Agent] but can't be used inside CLIENTSSL_HANDSHAKE. It could be done in HTTP_REQUEST but it would be executed serveral times for the same session and the stats wouldn't be reliable How could I log the Cipher Version and User-Agent data just once for each session? Thanks
BigIP 11.6 HF4 + SSL ciphers
We've recently upgraded to 11.6 to eliminate Chrome's obsolete cryptography message. I have an iRule that is allowing me to perform Strict Transport Security (HSTS), allowing us to obtain an A+ rating from ssllabs. The issue we're having now, is that I cannot find a suitable combination of ciphers to allow Chrome to display the following message: The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. I've been able to find a way to enable ECDHE_RSA as the key exchange, however the encryption that ends up being used is AES_256_CBC, resulting in the obsolete cryptography message to appear. I need to know how to get clients to prefer a GCM cipher, right? Evidently DHE_RSA does not allow for PFS to be enabled. Any recommendations for a cipher string? This is what I've tried so far, with no luck: !SSLv2:!SSLv3:!MD5:!EXPORT:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !SSLv2:!SSLv3:!MD5:!EXPORT:!SHA1:ECDHE+AES:ECDHE+3DES:RSA+AES:RSA+3DES !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA I was able to obtain an A+ rating on ssllabs using the following ciphers, however now the Obsolete message is back: ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3 Your connection to domain.com is encrypted with obsolete cryptography. The connection uses TLS 1.2. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.TMOS SSL TLS Cipher Cheat Sheet
Hi, for ease of use I summarized the content of a previous post into a printable format (available as PDF in letter and european A4 format) via the following external links: TMOS SSL TLS Cipher Cheat Sheet v0.1 (Letter) TMOS SSL TLS Cipher Cheat Sheet v0.1 (A4) The content of both PDFs (version 0.1) is shown below. Page 1/4: Page 2/4: Page 3/4: Page 4/4: I started working with another editor to crunch the size of the next PDFs. The next version will contain fixes and additions based on community feedback. Thanks, Stephan
