Forum Discussion

Chris_Olson_172's avatar
Chris_Olson_172
Icon for Nimbostratus rankNimbostratus
Jun 09, 2016

How can I find what clients are using TLS 1.0

I need to determine what clients are using TLS 1.0. My thought is to create an irule to gather the source IP of the client. I know I can view statistic with:

 

tmsh show ltm profile client-ssl

 

That's a good first start, but is there a way to determine what clients are still using TLS 1.0? We plan to disable this protocol but are babysitting our clients rather than just issuing a deadline and forcing them to upgrade to current browers.

 

Warning. I am terrible at scripting so assume you are talking to a five year old.

 

BIG-IP
iRules
security

9 Replies

Sort By
  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2016

    you can do it in an iRule pretty easily:

    when CLIENTSSL_HANDSHAKE {
        switch -glob [SSL::cipher version] {
                "*1.1*" -
                "*1.2*" {
                        log local0. "[IP::client_addr] Good guy."
                }
                default {
                        log local0. "[IP::client_addr] is a horrible ludite."
                }

        }
}
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jun 09, 2016

    May I ask why you're thinking about disabling TLS1.0 at this point? Is it your self-initiative, or is there an applicable regulation pushing you?

     

    The point in PCI DSS 3.1 which says that TLS1.0 must not be supported is still valid, but the enforcement of the ruling was postponed by 2 years. This means the new deadline for disabling TLS1.0 is 2018 June 30 (this applies to all existing services).

     

    Source: http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

     

    I'd say go for it, if you feel like doing so. Just keep in mind that there will be considerable impact mainly due to IE10 users (IE10 does not support TLS1.1/1.2 with default configuration). There are also those who use IE8 and IE9 these days. You may estimate that disabling TLS1.0 today will cut off about 1.2% of customer base, out of which 0.7% are legacy IE users and another 0.5% who use another obsolete web browser. (Source: http://www.w3schools.com/browsers/browsers_explorer.asp)

     

    Tip: If you want a decent level of security, and cut off as little customer base as possible, the best tip is to not be more restrictive than large retail banks :). None of the biggest 4 have disabled TLS1.0 at this point.

     

    • Chris_Olson_172's avatar
      Chris_Olson_172
      Icon for Nimbostratus rankNimbostratus
      Jul 01, 2016
      TLS 1.0 has been upgraded to a medium vulnerability and we are scanned monthly and quarterly. The results are published and our security status has gone down due to this. On top of that, multiple clients are requesting that we move forward and get rid of TLS 1.0 since this has been known to be weak since 2013-2014. That said, we are moving forward with testing all applications to support TLS 1.2 so we can remove TLS 1.0. It's a long process and will require multiple client communications but best to stay ahead of the game.
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2016

    May I ask why you're thinking about disabling TLS1.0 at this point? Is it your self-initiative, or is there an applicable regulation pushing you?

     

    The point in PCI DSS 3.1 which says that TLS1.0 must not be supported is still valid, but the enforcement of the ruling was postponed by 2 years. This means the new deadline for disabling TLS1.0 is 2018 June 30 (this applies to all existing services).

     

    Source: http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

     

    I'd say go for it, if you feel like doing so. Just keep in mind that there will be considerable impact mainly due to IE10 users (IE10 does not support TLS1.1/1.2 with default configuration). There are also those who use IE8 and IE9 these days. You may estimate that disabling TLS1.0 today will cut off about 1.2% of customer base, out of which 0.7% are legacy IE users and another 0.5% who use another obsolete web browser. (Source: http://www.w3schools.com/browsers/browsers_explorer.asp)

     

    Tip: If you want a decent level of security, and cut off as little customer base as possible, the best tip is to not be more restrictive than large retail banks :). None of the biggest 4 have disabled TLS1.0 at this point.

     

    • Chris_Olson_172's avatar
      Chris_Olson_172
      Icon for Nimbostratus rankNimbostratus
      Jul 01, 2016
      TLS 1.0 has been upgraded to a medium vulnerability and we are scanned monthly and quarterly. The results are published and our security status has gone down due to this. On top of that, multiple clients are requesting that we move forward and get rid of TLS 1.0 since this has been known to be weak since 2013-2014. That said, we are moving forward with testing all applications to support TLS 1.2 so we can remove TLS 1.0. It's a long process and will require multiple client communications but best to stay ahead of the game.
  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2016

    I use a different iRule that provides some further information in diagnosing issues like this. The other iRule is just as good but depends on the information you want to collect 🙂 

    when HTTP_REQUEST {

    if { [info exists logged] && $logged == 1 }{
         Do nothing. Already logged for this connection
    } else {
        set logged 1
        log "Rule DEV_CIPHER_logging fired, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
    }
}
  • Chris_Olson's avatar
    Chris_Olson
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2016

    I need to keep the impact on the logs as small as possible until we can get logging going to a separate device. Worse, I do not have full access to the device and must submit my rule for deployment. The vendor does not support irules so it's a long process if something goes wrong. I tried the below but something is wrong:

     

    when CLIENTSSL_HANDSHAKE { switch -glob [SSL::cipher version] { "1.0" - { { log local0. "[IP::client_addr] Old." }

     

    }

     

    The logs show the following: TCL error: tls_1.0_test - extra switch pattern with no body while executing "switch -glob [SSL::cipher version] { "1.0" - { log local0. "[IP::client_addr] Old." } }"

     

    Where did I go wrong?

     

  • Chris_Olson's avatar
    Chris_Olson
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2016

    I fixed my syntax error but the rule does not work. In fact, the website failed to load altogether. Is it possible this rule won't work with 10.2.4?

     

    ltm rule tls_1.0_test { when CLIENTSSL_HANDSHAKE { switch -glob [SSL::cipher version] { "1.0" - { log local0. "[IP::client_addr] Old." } } } }

     

  • cathy_123's avatar
    cathy_123
    Icon for Cirrus rankCirrus
    Feb 13, 2018

    this might help

     

    when CLIENTSSL_HANDSHAKE { switch -glob [SSL::cipher version] { "1" { log local0. "[IP::client_addr] OLD." } } }