I am working on a project to remove TLS1.0 from our F5 BIG-IP systems.
The company want first a good overview where TLS1.0 is still used (which VIP's) so i exported those with tmsh command but if there are a lot of connections the value get shorten with "K" for 1000 and "M" for 1.000.000
Is there a way to have those fully written down in the export so that 21.2K is showed as 21.200 ?
Now it's hard for me to make visual graphs because i have an export in Big-IP, egrep this with Cygwin on my windows machine localy with 'SSL_|TLS' (Client SSL Profiles all start with SSL_XXX and i only need TLS connections) and then put this in Excel to have it visual.
Due to the K/M values i can't process calculations with numbers due to Excel not seeing it like a number so i need to do a lot of manual work.
In the end i want an overview of total connections per protocol, per client ssl profile and also the percentage of TLS1.0 on this total amount of connections (if for example 1% TLS1.0 then we won't investigate who is still doing this old crap).
F5 CLI - tmsh show ltm profile client-ssl
If you switch to the tmsh command line (just type 'tmsh' from bash) you can do the following commands:
For all client ssl profiles on the default partition (/Common):
show ltm profile client-ssl raw | grep 'Ltm::ClientSSL\|Protocol'
For all client ssl profiles on all the other partitions:
show ltm profile client-ssl /*/* raw | grep 'Ltm::ClientSSL\|Protocol'
Thanks for the info!
Is there a way to export this to a file also?
show ltm profile client-ssl raw | grep 'Ltm::ClientSSL|Protocol' > exportssl
I only get the option to display them on my screen
If you have access to the BASH shell, simply run the command from there:
tmsh show ltm profile client-ssl raw | grep ‘LTM::ClientSSLProtocol’ > fileName
Thank you , must have made a typo or something because it works now
The F5 is security focused and will always negotiate at the highest cipher first, TLS1.2.
Profiles -> SSL -> Client -> clientssl (pick whichever parent is used)
--Will negotiate at TLS1.2
Caveat: If the client / server / application cannot negotiate at TLS1.2, it is due to the server not allowing a TLS1.2 cipher or is configured to force a less secure cipher due to compatibility issues.
To show all SSL profiles, try:
for i in $(tmsh show ltm profile client-ssl | grep "Ltm::ClientSSL Profile" | sed 's/Ltm::ClientSSL Profile: //'); do tmsh show ltm profile client-ssl $i | grep 'Ltm::ClientSSL\|Protocol'; done