Forum Discussion

ToonVA's avatar
ToonVA
Icon for Cirrus rankCirrus
Jan 16, 2019

Log TLS version in Irule for TCP VIP

Hi All,

I am working on a project to remove all TLS1.0 connection on F5 but need we need to know first who is still connection to certain VIP.

There is already an Irule defined by one of my colleagues but this only works when there is an HTTP Profile attached. We have also plain TCP VIP with SSL offloading and so i can't attach the below Irule to it. 

when HTTP_REQUEST {
    if { [info exists logged] && $logged == 1 }{
         Do nothing. Already logged for this connection
    } else {
        set logged 1
        log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
    }
}

I am not good in scripting but i understand the logic above but need something similar without the "HTTP_Request" statement etc because the TCP VIP does not do HTTP traffic...

Can someone help me on this to make an Irule which will work with plain TCP ?

BIG-IP
iRules
security

4 Replies

Sort By
  • Rico's avatar
    Rico
    Icon for Cirrus rankCirrus
    Jan 16, 2019

    Try using the CLIENTSSL_HANDSHAKE event instead of the HTTP_REQUEST event. Documentation for it here

     

  • ToonVA's avatar
    ToonVA
    Icon for Cirrus rankCirrus
    Jan 17, 2019

    Thanks for the information, did some research and managed to get it running on our infra. Below the Irule i reworked for TCP enable VIP (without a http profile).

    when CLIENTSSL_HANDSHAKE {
        if { [info exists logged] && $logged == 1 }{
             Do nothing. Already logged for this connection
        } else {
            set logged 1
            log "WAARDE TLS1.0 check, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] "
        }
    }

    The "Waarde" in bold is the trigger i can use to check in the LTM file from \var\log\ltm

    LTM Output example (masked some items with ): Line 429655: Jan 17 08:34:24 slot2/VCMP- info tmm[19343]: 01220002:6: Rule /Common/Irule_TLS1.0_CHECK_LOG_172... : WAARDE TLS1.0 check, from 10... to vip 172... Cipher ECDHE-RSA-AES128-CBC-SHA:TLSv1:128

    • PSPK's avatar
      PSPK
      Icon for Nimbostratus rankNimbostratus
      Dec 16, 2020

      Hello,

       

      I have a TCP VIP on port 995 with no HTTP Profile or client-ssl profile.

      I tried to apply the above irule and it threw me the following error..

       

      01070394:3: CLIENTSSL_HANDSHAKE event in rule (/Common/TLS-Version-2) requires an associated CLIENTSSL profile on the virtual server (/Common/vs_exchange-2016_pop3_MWDC).

       

      I really need an irule to help me log the incoming client TLS versions

  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Dec 18, 2020

    Without SSL profile, You will not able to use CLIENTSSL_HANDSHAKE event based iRule.

     

    FYI, The BIG-IP LTM Client SSL profile supports the POPS(995- Ports).