TLS support in iRule editor

Question

After updating my supported cipher/protocol list on the default clientssl profile on my BigIP LTM:&nbsp;
NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:-RC4:@SPEED&nbsp;
I'm no longer able to connect the F5 iRule editor to my BigIP. Is 0.11.6.1 only supporting TLS1.0?&nbsp;

aaronmlong_1021 · Accepted Answer

Thanks, Kai &amp; Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.&nbsp;

mo_99289 · Answer

when using the cipher string you provided, the cipher used by default clientssl profile are below,
doesn't contain TLS1.0. so it might be the cause.
you could capture ssl session btw iRule Editor and the bigip to find out more info.
                  ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
 6: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 8:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS   
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS   
10:    56  DHE-DSS-AES256-SHA               256  TLS1.1  Native  AES       SHA     DHE/DSS   
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES       SHA     DHE/DSS   
12:    56  DHE-DSS-AES256-SHA               256  DTLS1   Native  AES       SHA     DHE/DSS   
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA  
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA  
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.1  Native  AES       SHA     ECDH_RSA  
18: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA  
19: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.1  Native  AES       SHA     ECDH_ECDSA
20: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES       SHA     ECDH_ECDSA
21:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
22:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
23:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
24:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
25:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
26: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
27: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA 
28: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  Native  DES       SHA     ECDHE_ECDSA
29: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  Native  DES       SHA     ECDHE_ECDSA
30: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.1  Native  DES       SHA     ECDH_RSA  
31: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.2  Native  DES       SHA     ECDH_RSA  
32: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.1  Native  DES       SHA     ECDH_ECDSA
33: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.2  Native  DES       SHA     ECDH_ECDSA
34:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA       
35:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA       
36:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA       
37: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
38: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
39: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
40: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
41: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
42: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
43: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
44: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
45:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS   
46:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS   
47:    50  DHE-DSS-AES128-SHA               128  TLS1.1  Native  AES       SHA     DHE/DSS   
48:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES       SHA     DHE/DSS   
49:    50  DHE-DSS-AES128-SHA               128  DTLS1   Native  AES       SHA     DHE/DSS   
50: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA  
51: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
52: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA  
53: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
54: 49166  ECDH-RSA-AES128-SHA              128  TLS1.1  Native  AES       SHA     ECDH_RSA  
55: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES       SHA     ECDH_RSA  
56: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.1  Native  AES       SHA     ECDH_ECDSA
57: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES       SHA     ECDH_ECDSA
58:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
59:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
60:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
61:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
62:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
63:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
64:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
65:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA       
66:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA       
67:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
68:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
69:    65  CAMELLIA128-SHA                  128  TLS1.1  Native  CAMELLIA  SHA     RSA       
70:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA

kai_wilke · Answer

Hi Aaron,&nbsp;
the iRule Editor is unfortunately using very unsecure SSL/TLS libs and/or settings. &nbsp;
Beside of the missing TLS1.1, TLS1.2 support, the iRule editor is even not checking for trusted certificates, name matchings, and revocation information. So if security is a concern, then better use a desktop based SSL-Inspection proxy (e.g. Fiddler2), to connect the iRule Editor to your F5.&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

TLS support in iRule editor

3 Replies

Recent Discussions

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Related Content

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Cipher Suites Supported (12.1.5.3)

BIG-IP DNS Forwarder Support via iRule

TMOS v17 support policy

Multi-port support for HTTP/TCP load balancers in F5 Distributed Cloud (XC)