TLS Version and SSLDUMP
Hi all, I am trying to figure out if server behind Big-IP is capable of doing TLS 1.2 Supposedly it should. I have taken a tcpdump of target traffic as below: tcpdump -vvv -s 0 -nni 0.0 -w /var/tmp/www-ssl-l7_3.cap host 4O.81.38.X29 and port 7008 ssldump -nr /var/tmp/www-ssl-l7_3.cap > /var/tmp/ssl_out.txt ssldump output looks like this: New TCP connection 1: 10.XX.17.86(30809) <-> 4O.81.38.X29(7008) 1 1 0.0161 (0.0161) C>S Handshake ClientHello Version 3.3 cipher suites Unknown value 0xc02c Unknown value 0xc024 Unknown value 0xc00a Unknown value 0xc030 Unknown value 0xc028 Unknown value 0xc014 Unknown value 0xc02b Unknown value 0xc023 Unknown value 0xc009 Unknown value 0xc02f Unknown value 0xc027 Unknown value 0xc013 Unknown value 0xc008 Unknown value 0xc012 Unknown value 0xc007 Unknown value 0xc011 Unknown value 0x9f Unknown value 0xa3 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA Unknown value 0x9d TLS_RSA_WITH_AES_256_CBC_SHA Unknown value 0x9e Unknown value 0xa2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9c TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xff compression methods NULL 1 2 0.0297 (0.0136) S>C Handshake ServerHello Version 3.3 session_id[32]= 57 ca a1 8d 7b 9e 64 80 df b3 28 3a 82 06 ad 29 ba f3 e6 a5 bf e7 bb a9 24 64 32 5c 93 d6 3d 78 cipherSuite Unknown value 0x9d compressionMethod NULL 1 3 0.0390 (0.0092) S>C Handshake Certificate 1 4 0.0390 (0.0000) S>C Handshake ServerHelloDone 1 5 0.0973 (0.0583) C>S Handshake ClientKeyExchange 1 6 0.0973 (0.0000) C>S ChangeCipherSpec 1 7 0.0973 (0.0000) C>S Handshake 1 8 0.1112 (0.0138) S>C ChangeCipherSpec 1 9 0.1122 (0.0010) S>C Handshake 1 10 0.1150 (0.0028) C>S application_data 1 11 0.1281 (0.0131) S>C application_data 1 0.1282 (0.0000) S>C TCP FIN 1 12 9.5960 (9.4678) C>S Alert 1 9.5982 (0.0022) C>S TCP FIN Is there a way to read TLS version the client is offering in client Hello? Thanks.
TLS ciphers supported by Silverline
Today I was asked about what TLS ciphers that Silverline supports. Does anyone know where I can find that answer in some documentation? I was told that Silverline supports all TLS ciphers in v11.9 however, I'm looking for some documentation on this. That way I have reference to back up my claim. Thanks!Max TPS: RSA vs ECDSA
Dear Devcentral, I'm looking at some official datasheets (e.g. https://www.f5.com/pdf/products/viprion-overview-ds.pdf ) and am having a hard time understanding the reason for ECDSA max TPSs being so low compared to RSA. No document is making the difference between Signature and Verify operations. I would agree with those numbers if they were referring to Verify operations but in my understanding of the TLS implementation that would only happen if one enabled ECDSA-based Client Certificate Authentication. When no certificate authentication is enabled on a VS, the operations should mainly be of Signature type and in that case ECDSA (P-256) should allow much more operations than RSA (2048). Any idea?
