Forum Discussion

PeterKoine_1630's avatar
PeterKoine_1630
Icon for Nimbostratus rankNimbostratus
Jan 22, 2015
Solved

Issue changing TLS version in HTTPS monitor

Hello everyone,   I am having troubles to change the cipher suite on a custom https monitor. Our client has turned off TLS v1.0 on their servers but each time I change the cipher option from DEFAU...
application delivery
availability
deployment
design
LTM
management
  • SynACk_128568's avatar
    SynACk_128568
    Jan 22, 2015

    Hi Peter ,

     

    https monitor uses openssl library and openssl flags sslv3 and tls1.0 same . So when you use DEFAULT:!SSLv3:!TLSv1 there are no ciphers left to negotiate .

     

    have you tried

     

    tmsh modify ltm monitor https monitor_name cipherlist TLSv1 or someother version .

     

    you can see openssl ciphers by using this command :

     

    openssl -v DEFAULT or some other setting in cipherlist in monitor https

     

SynACk_128568's avatar
SynACk_128568
Icon for Cirrostratus rankCirrostratus

Hi Peter,

We checked and got a solution from F5 :

once the server negotiates from SSLv2 to TLS1, all subsequent connections will utilize the later protocol. Due to the fact that these pool members have already negotiated to TLSv1, some of the monitors are shown working to pool members with sslv2 disabled .

basically they told that LTM cannot perform negotiate .

They recommended to disable :

app-service none
cert none
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled  <---try setting compatibility to disale

On F5 documents compatibility Displays, when enabled, that the SSL options setting (in OpenSSL) is set to ALL. The default is Enabled.

Not able to understand it's purpose ?

Thanks

PeterKoine_1630's avatar
PeterKoine_1630
Icon for Nimbostratus rankNimbostratus
Jan 30, 2015
Hi SynACk, the compatibility setting is about turning on openssl's bug workarounds https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html During an ssl session handshake, in the client hello message, the client sends all the ciphers it supports and mentions the highest ssl version it can use. Server should always choose the strongest compatible. So yes, if you have SSLv2 and TLS1 enabled, TLS1 should always be chosen in all future connection. But haven't you mentioned that you have SSLv2 and SSLv3 disabled on the servers? Also, has turning off compatibility solved the issue you have?