Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Log all TLS v1.0 Connections

I'm looking for an iRule to log all TLS v1.0 connections to a remote logging server.

I'd like to include in the logs the external client IP, VIP, and time.

I'm very new to scripting, so any help would be GREATLY appreciated!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here,

We already have a SSL3 tracker, just change SSLv3 to TLSv1

Also Dave has posted a graph too.

Put in some effort and you should have yours own irule.

0
Comments on this Answer
Comment made 05-Jun-2017 by msmith1356 67

Jaikumar, i appreciate the reply. I am interested in utilizing your SSL3 tracker, but i have a couple of questions:

-In the remarks, it states that it hold the client information in memory...does that mean it holds it in RAM or does it write it to the disk (in a log format perhaps)?

-I'm looking for data spread out over weeks. We are looking on disabling TLSv1 and i need to figure out which clients are hitting multiple sites using TLSv1...the data will need to be recorded for a couple weeks to get good results.

-How do i access the "magic uri"? Will it be accessible externally?

I'm very new to the iRule game and i'm working with production units so i need to be TOTALLY confident in what i'm doing before i do it.

Thanks again.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

You can use that code:

when HTTP_REQUEST {
    if {[SSL::cipher version] equals "TLSv1"} {
        set hsl [HSL::open -proto UDP -pool syslog_server_pool]
        set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
        HSL::send $hsl "<190> TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
}

You will need to create a pool with name "syslog_server_pool" and add your remote log server. You can change the pool name of course but it should be the same as in the iRule.

The output should looks like that:

Msg: TLSv1 Request Detected: Time = 06/Jun/2017:19:08:05 EEST, Client IP:Port = 10.10.10.100:58978, F5 VIP:Port = 10.10.10.20:443

0
Comments on this Answer
Comment made 07-Jun-2017 by msmith1356 67

Ilian, thank you, that is precisely what i was looking for!

Any idea on how much a performance hit i'd get enabling this iRule on a bunch of virtual servers?

0
Comment made 07-Jun-2017 by Ilian Ivanov 517

Unfortunately, that is something I can`t predict. It depends on how many connection you will have. Also the number of the VIPs that will need the iRule.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Does this break down connections by TLS1.0/1.1/1.2 or lumps all into TLSv1 Requests without specifying the specific versions?

0
Comments on this Answer
Comment made 22-Aug-2018 by jaikumar_f5 1929

Hi Dwcoffin,

If you check the [article](Categorize SSL traffic by version, display as graph),it does break it down with all versions.

If you are looking for Irule for remote logging for all versions,

when HTTP_REQUEST {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
    if {[SSL::cipher version] equals "TLSv1"} {
        HSL::send $hsl "TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    } 
    if {[SSL::cipher version] equals "TLSv1.1" } {
        HSL::send $hsl "TLSv1.1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
    if {[SSL::cipher version] equals "TLSv1.2" } {
        HSL::send $hsl "TLSv1.2 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
}
0
Comment made 23-Aug-2018 by dwcoffin 1

Thanks for clarification!

0
Comment made 3 months ago by dwcoffin 1

We have implemented this iRule. It is working as expected. Thank you! Request information to include encrypted connections made on non-standard ports (not port 443) please.

0