EmployeeWe have been asked to block SSLv3 completely on the management interfaces of the F5 hardware. As soon as I do this the irule editor can no longer connect. Is there a way to make the iRule Editor use TLS instead of SSLv3?
Thanks, David
EmployeeI do not believe so. You could, however, proxy the connection using something like socat. In this case, you could run socat locally:
$ socat openssl-listen:443,reuseaddr,cipher=ALL,cert=server.pem,verify=0,fork openssl-connect:192.168.1.214:443,cipher=ALL,verify=0
There are a number of gotchas. Firstly, since you are running on Windows, you need a version of socat that works on windows, and is compiled with openssl support. I use cygwin and ensure that both socat and openssl are installed. A trickier problem relates to the local listening port. The iRule editor appears to use SSL only if the port you connect to is 443. Otherwise, it uses HTTP. However, when it uses HTTP, it appears to die if it gets an HTTP authentication challenge, which it naturally will. This means that you really cannot proxy with any local port except 443 :(. Of course, if you have something else listening locally on port 443, that'll be a problem.
If all of this can work for you, you may wonder about generating a cert for the local "server" side of this proxy. You must generate a certificate, or you will get a cipher failure. To do this, you can:
$ openssl genrsa -out server.key 1024
$ openssl req -new -key server.key -x509 -days 3650 -out server.crt
$ cat server.key server.crt > server.pem
Depending on the environment, you may also need to:
$ chmod 600 server.pem
NimbostratusAny update on adding in TLS support? Specifically I'm looking for TLSv1.1 or newer.
AltostratusWhat worked for me is the stunnel with the following configuration:
[local-open-port]
client = no
cert = stunnel.pem
accept = 127.0.0.1:443
connect = 127.0.0.1:9876
[redirect-to-bigip]
client = yes
accept = 127.0.0.1:9876
connect = ...:443
Just change the ... to your BIG-IP device address. Once done you can configure the iRule Editor to connect to localhost on port 443. It works because stunnel will create two different connections (full proxy?), what will also permit two distinct SSL negotiations, one that will work for the iRule Editor and another for the BIG-IP device.