SSLv3, TLS1.0 and cipherstrings...
Running v11.6.1. I've tried searching for an answer to this question, which surely must have been asked before, but too many different topics use the same search criteria and I find myself getting into subjects that I really don't need. I've got an client-ssl profile with a cipherstring that contains !SSLv3. Does this mean that clients sending an SSLv3 record layer message will be rejected, or those sending an SSLv3 handshake layer message within a TLS record will be rejected, or both, or neither?SSL 3.0 Client Tracker
Problem this snippet solves: iRule to track and display information about traffic from SSL 3.0-only clients. Allows application administrators to assess the impact of disabling access to SSL 3.0-only clients using the BIG-IP. The iRule logs and displays Source Address, Host header, User-Agent, SSL Cipher and Geolocation (Continent, Country, State) How to use this snippet: Enable this iRule on BIG-IP Virtual Server and then access "Magic" URL of "/ssl3lookup/" to display data. Note that the iRule could be broken into parts so that accessing the data is only possible on an internal Virtual Server. Code : # iRule to maintain SSL3-only client information in memory # For performance purposes, it only "records" client information based on client IP address as a "key" into table # Rule also will not update information if request is from a client IP addresss that has used SSL3 within the timeout period # Chad Jenison c.jenison at f5.com when RULE_INIT { #set this value to value in seconds you want to keep ssl3clients in memory ; default is 3600 (1 hour) set static::ttl 3600 set static::honorXffIfExists 1 set static::xffHeaderName "X-Forwarded-For" } when HTTP_REQUEST { if {[SSL::cipher version] eq "SSLv3"}{ if {$static::honorXffIfExists && [HTTP::header exists $static::xffHeaderName]} { set requestorip [HTTP::header value $static::xffHeaderName] log local0. "SSL3 connection from Proxy: [IP::client_addr] on behalf of [HTTP::header value $static::xffHeaderName] **Notify Proxy Admin" } else { set requestorip [IP::client_addr] } if {[table incr -subtable ssl3sourceIPs $requestorip] eq 1}{ table timeout -subtable ssl3sourceIPs $requestorip $static::ttl table set "ssl3host$requestorip" [HTTP::header "Host"] $static::ttl table set "ssl3useragent$requestorip" [HTTP::header "User-Agent"] $static::ttl table set "sslcipher$requestorip" [SSL::cipher name] $static::ttl log local0. "SSL Cipher Used: [SSL::cipher name]" } else { table timeout -subtable ssl3sourceIPs $requestorip $static::ttl table timeout "ssl3host$requestorip" $static::ttl table timeout "ssl3useragent$requestorip" $static::ttl table timeout "sslcipher$requestorip" $static::ttl } } if {[HTTP::uri] starts_with "/ssl3lookup/"}{ set ssl3clienttable " Source IP Host Header User-Agent Geolocation SSL Cipher Used HTTP Requests " foreach clientip [table keys -subtable ssl3sourceIPs] { append ssl3clienttable " $clientip [table lookup "ssl3host$clientip"] [table lookup "ssl3useragent$clientip"] [table lookup "sslcipher$clientip"] [whereis $clientip continent]:[whereis $clientip country]:[whereis $clientip state] [table lookup -subtable ssl3sourceIPs $clientip] " } append ssl3clienttable " " HTTP::respond 200 content " SSL3 Client Table $ssl3clienttable" log local0. "Got Magic Request" } } Tested this on version: 11.6
SSLv3 to TLS 1.x Proxy
Hoping to find out if this is possible. We have a server that is only SSLv3 compatible and due to compliance reasons we must use TLS 1.x. Is it possible to use the F5 as a proxy in the situation to terminate the connection from the client and BIG-IP to connect with TLS 1.x? What's the best path? BIG-IP is 10.0.1. Thanks internal server SSLv3---> BIG-IP as proxy ---TLS 1.x---> Firewall ----> external service
LTM 11.5 L4 VS and SSL Persistence terminates IE8 Connections
After upgrading to 11.5 (from 10.x), a Website stopped working with IE8 - FireFox 24.1.1 was working well. (actually in most of the cases just one HTTP Request passed in a 'keep-alive' connection). While troubleshooting I realized, that this issue is caused by the SSL Persistence Profile which was attached to the Virtual Server. The VS is configured as L4 Service (no SSL Termination). I'm aware, that Version 11.5 does not make use of SSLv3. So I think this is somehow related. Anybody else who see the same behaviour?