Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Cipher availability changes in upgrade from 11.6 to 13

In preparation for upgrade from 11.6 to 13.x, I am trying to develop a method to identify legacy, deprecated, and unsupported ciphers in current use on our 11.6.3 LTMs that will break functionality once we're running 13.x.

I see that the methodology will change (https://devcentral.f5.com/articles/cipher-rules-and-groups-in-big-ip-v13-25200), but what impact will that have on the existing 11.6 cipher strings and option settings?

Of course, the smart thing would be to require the servers & apps using old ciphers to be up to date. But that's a different silo, and involves all the accompanying layer 8 entanglements.

Does anyone have experience or advice in finding client and server profiles that will fail following upgrade?

0
Rate this Question
Comments on this Question
Comment made 2 months ago by jlarger 108

This isn't quite what I was hoping for, but it's a start.

I can issue "reset-stats ltm profile server-ssl" with the * wildcard, and do the same for client-ssl.

Then I can wait a set time, issue show ltm profile server-ssl all, and for client-ssl, and dump those to a text file.

I can then parse the text and assign each profile values for each available stat to determine where weaknesses are. For thousands of profiles on hundreds of LTMs. Laborious, no?

Given how much time we spend on TLS/SSL issues and responding to vulnerability scans, this should really be easier to find.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The first things I'd do is review the supported cipher differences between the versions: https://support.f5.com/csp/article/K13163.

You could also capture the stats of current user traffic into iStats and graph it. Here's a way to do that: https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module1/lab1.html

1
Comments on this Answer
Comment made 2 months ago by jlarger 108

I have reviewed the list of supported ciphers to compare versions. But it tells me nothing about what the clients and servers are up to.

This is great info and I will definitely have to play with this method. Still very labor intensive, though. And I am trying to gather initial info on thousands of virtuals across 70 HA pairs.

0
Comment made 2 months ago by jlarger 108

OK, istats rocks and I'm amazed F5 support didn't suggest this for my support case in the first place.

Has anyone done this on a large scale? How much of an impact is involved if istats gathered data on several hundred virtuals? How does istats scale?

0
Comment made 2 months ago by Kevin Stewart

iStats are tmm-level objects, so should scale pretty well. Plus, if you're doing counters, you're really not storing that much information.

0
Comment made 2 months ago by jlarger 108

Thanks. This definitely seems like a workable strategy.

0