Forum Discussion

Pat_70435's avatar
Pat_70435
Icon for Altocumulus rankAltocumulus
Aug 28, 2017

Question on SSL Ciphers - Default SSL profile

Has anyone ever resolved any issues pre upgrades with the F5 regarding server side SSL Profiles and their incompatibility?

 

I was looking for a way to determine and find what servers will not be compatible with my default serverssl profiles after I upgrade my F5. With moving to the newer versions of code I understand that some SSL Ciphers will be added and others will be removed for security purposes.

 

I understand that in order to temporarily resolve these issues I can configure the "serverssl-insecure-compatible" option on a VIP. I have a couple hundred VIPs, is there any way to search what VIPs or Servers will not be compatible via the default SSL Server Side Profile in order to reduce impact to those VIPs?

 

application delivery
devops
iRules
LTM

2 Replies

Sort By
  • wlopez's avatar
    wlopez
    Icon for Cirrocumulus rankCirrocumulus
    Aug 28, 2017

    You can upload a qkview to iHealth and use the upgrade advisor feature to get some hints about possible issues that might arise when upgrading your current configuration to the target version.

     

    Also, if you want to figure out what's currently being negotiated against the servers in each pool you can capture it with an iRule like this:

     

    when SERVERSSL_HANDSHAKE { ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher version]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher name]" 1 ISTATS::incr "ltm.virtual.pool [virtual name] c [SSL::cipher bits]" 1 }

     

    You can use the 'istats dump' command to view the accumulated stats. [root@f5bigip-lab:Active:In Sync] ~ istats dump /var/tmstat/cluster.tm2 [READONLY]: nextBlockId=7776, last update at 2017-08-28 18:05:31

     

    all facts:

     

    [ ltm.virtual.pool=/Common/VS_www.mysite.com ][256] = 724 (2017-08-28 18:05:31)

     

    [ ltm.virtual.pool=/Common/VS_www.mysite.com ][ECDHE-RSA-AES256-SHA384] = 724 (2017-08-28 18:05:31)

     

    [ ltm.virtual.pool=/Common/VS_www.mysite.com ][TLSv1.2] = 724 (2017-08-28 18:05:31)