https - cipher string

e.g.

[root@ve11a:Active:Changes Pending] config  tmm --clientciphers RC4+SHA+SSLv3+MEDIUM
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
[root@ve11a:Active:Changes Pending] config 

Nitass,

 

 

This works just fine with a clientssl profile but I need it to work with a https monitor. I have tried a gazillion different variations with no success. I read in an older thread that bigd probably doesn't use the native TMM SSL stack. Do you know the correct syntax to use it with a https monitor?

 

 

Thank you,

Try the following:

 

DEFAULT:!ALL:RC4-SHA

 

 

Jason Rahm has a great series of articles on the SSL profiles. Check it out: https://devcentral.f5.com/tech-tips...her-suites

 

 

Ok. I made a mistake. Two things:

 

 

1) After a reboot of the VE, I got the cipher Nitass posted to go right in. Wireshark shows that it still was using TLSv1.

 

2) After examing a capture of my working curl test again, it is using SSLv3 but this is the cipher string I need, please:

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

My apologies for the incorrect cipher string the first time.

 

Drew - I will read the article tomorrow. tired right now..)

TLS_RSA_WITH_3DES_EDE_CBC_SHA can you try this?

[root@ve11a:Active:Changes Pending] config  tmsh list ltm monitor https myhttps
ltm monitor https myhttps {
    cipherlist DES-CBC3-SHA
    compatibility enabled
    defaults-from https
    destination *:*
    interval 5
    send "GET /\\r\\n"
    time-until-up 0
    timeout 16
}

[root@ve11a:Active:Changes Pending] config  ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.11(34552) <-> 200.200.200.101(443)
1 1  1373977265.0672 (0.0028)  C>SV3.1(80)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          51 e5 3a b1 0e f7 75 f9 df 06 42 16 a8 bc 29 2c
          32 08 9c 53 9b b9 3e 1a e1 31 c5 87 f2 58 50 0f
        resume [32]=
          f7 8b d5 52 45 60 65 3e 0e f9 39 d5 58 82 4b 1c
          92 e0 93 7a f9 9e 49 21 1a 23 10 df 9d 4f ec c3
        cipher suites
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xff
        compression methods
                unknown value
                  NULL
1 2  1373977265.0690 (0.0018)  S>CV3.1(81)  Handshake
      ServerHello
        Version 3.1
        random[32]=
          51 e5 3a 03 0e 9c 42 f5 0c 4e 6b d1 48 88 d5 dc
          e9 17 c3 df 7e 8c 20 21 4e d7 5f 64 5f 80 44 16
        session_id[32]=
          f7 8b d5 52 45 60 65 3e 0e f9 39 d5 58 82 4b 1c
          92 e0 93 7a f9 9e 49 21 1a 23 10 df 9d 4f ec c3
        cipherSuite         TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                 unknown value
1 3  1373977265.0690 (0.0000)  S>CV3.1(1)  ChangeCipherSpec
1 4  1373977265.0690 (0.0000)  S>CV3.1(48)  Handshake
1 5  1373977265.0707 (0.0016)  C>SV3.1(1)  ChangeCipherSpec
1 6  1373977265.0707 (0.0000)  C>SV3.1(48)  Handshake
1 7  1373977265.0707 (0.0000)  C>SV3.1(40)  application_data
1 8  1373977265.0732 (0.0025)  S>CV3.1(104)  application_data
1 9  1373977265.0732 (0.0000)  S>CV3.1(32)  Alert
1    1373977265.0732 (0.0000)  S>C  TCP FIN
1 10 1373977265.0742 (0.0009)  C>SV3.1(32)  Alert
1    1373977265.0745 (0.0003)  C>S  TCP FIN

Thank you! It looks like it is still failing. Please review the output of the working version using CURL and the failing https monitor. What could be different?

 

LTM https monitor - failing

 

New TCP connection 1: 172.16.31.8(37464) <-> X.X.X.X(443)

 

1 1 1373985585.6667 (0.0685) C>SV3.1(54) Handshake

 

ClientHello

 

Version 3.1

 

random[32]=

 

51 e5 5b 31 47 83 b8 47 59 fd 5c 96 35 c9 86 b4

 

9c b7 3c e0 bb 30 45 d5 ce 65 a6 95 60 37 11 ad

 

cipher suites

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Unknown value 0xff

 

compression methods

 

unknown value

 

NULL

 

1 2 1373985585.7383 (0.0716) S>CV3.0(2) Alert

 

level fatal

 

value unexpected_message

 

1 3 1373985585.7383 (0.0000) S>CV3.0(2) Alert

 

level warning

 

value close_notify

 

1 1373985585.7383 (0.0000) S>C TCP FIN

 

1 1373985585.7391 (0.0007) C>S TCP RST

 

 

 

curl -kv3 https://hostname.company.com - SUCCESSFUL

 

New TCP connection 1: 172.16.31.8(37522) <-> X.X.X.X(443)

 

1 1 1373985669.4538 (0.0901) C>SV3.0(96) Handshake

 

ClientHello

 

Version 3.0

 

random[32]=

 

51 e5 5b 85 e5 10 f7 38 f9 1b 1d 1f cb cd 09 12

 

df bc 08 de 1a e1 1f b7 66 84 5e e3 03 e7 2b e4

 

cipher suites

 

SSL_DHE_RSA_WITH_AES_256_CBC_SHA

 

SSL_DHE_DSS_WITH_AES_256_CBC_SHA

 

SSL_RSA_WITH_AES_256_CBC_SHA

 

SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

 

SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

 

SSL_RSA_WITH_CAMELLIA_256_CBC_SHA

 

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 

SSL_RSA_WITH_3DES_EDE_CBC_SHA

 

SSL_DHE_RSA_WITH_AES_128_CBC_SHA

 

SSL_DHE_DSS_WITH_AES_128_CBC_SHA

 

SSL_RSA_WITH_AES_128_CBC_SHA

 

Unknown value 0x45

 

Unknown value 0x44

 

SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

 

SSL_RSA_WITH_RC4_128_SHA

 

SSL_RSA_WITH_RC4_128_MD5

 

SSL_DHE_RSA_WITH_DES_CBC_SHA

 

SSL_DHE_DSS_WITH_DES_CBC_SHA

 

SSL_RSA_WITH_DES_CBC_SHA

 

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

 

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

 

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

 

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

 

SSL_RSA_EXPORT_WITH_RC4_40_MD5

 

Unknown value 0xff

 

compression methods

 

unknown value

 

NULL

 

1 2 1373985669.5154 (0.0615) S>CV3.0(42) Handshake

 

ServerHello

 

Version 3.0

 

random[32]=

 

51 e5 5b ab eb d1 e6 12 d7 01 60 d7 7a eb 64 7d

 

04 00 14 51 62 81 dc 41 9b 14 6a 0c 06 4b ad b8

 

session_id[0]=

 

 

cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA

 

compressionMethod NULL

 

1 3 1373985669.5727 (0.0573) S>CV3.0(3716) Handshake

 

Certificate

 

1 4 1373985669.5727 (0.0000) S>CV3.0(4) Handshake

 

ServerHelloDone

 

1 5 1373985669.5765 (0.0038) C>SV3.0(260) Handshake

 

ClientKeyExchange

 

EncryptedPreMasterSecret[256]=

 

9f 04 87 7e e0 a6 cb b9 9d 1e bd f7 d7 etc, etc

 

 

1 6 1373985669.5765 (0.0000) C>SV3.0(1) ChangeCipherSpec

 

1 7 1373985669.5765 (0.0000) C>SV3.0(64) Handshake

 

1 8 1373985669.6500 (0.0734) S>CV3.0(1) ChangeCipherSpec

 

1 9 1373985669.6507 (0.0007) S>CV3.0(64) Handshake

 

1 10 1373985669.6524 (0.0016) C>SV3.0(192) application_data

 

1 11 1373985669.7207 (0.0683) S>CV3.0(152) application_data

 

1 12 1373985669.7207 (0.0000) S>CV3.0(168) application_data

 

1 13 1373985669.7211 (0.0004) S>CV3.0(64) application_data

 

1 14 1373985669.7869 (0.0657) S>CV3.0(24) application_data

 

1 15 1373985669.7869 (0.0000) S>CV3.0(384) application_data

 

1 16 1373985669.7880 (0.0010) C>SV3.0(24) Alert

 

1 1373985669.7898 (0.0018) C>S TCP FIN

 

1 17 1373985669.8591 (0.0692) S>CV3.0(24) Alert

 

1 1373985669.8591 (0.0000) S>C TCP FIN

 

 

 

it seems bigd (health monitor) does not send sslv3 only even adding !tls1 in cipher list.