Forum Discussion

Brad_Parker's avatar
Feb 13, 2015

iControl and TLSv1.2

Has anybody encountered issues with iControl when you lock httpd down to only allow TLSv1.2? Device trust creation, Big-IQ, iRule editor, powershell iControl cmdlets, etc... all fail to connect when we restrict the management interface(httpd) to only TLSv1.2. The GUI still works in a browser, however. TCPDUMP suggests all these iControl functions only offer TLS 1.0 in the ClientHello.

 

5 Replies

  • Hi Brad, What version are you running? I currently have a similar problem establishing device trust when I remove SSLv3 from the supported list. With SSLv3 allowed it works, with SSLv3 disabled it doesn't. I'm running 11.5.1 HF7 on a 2400
  • The iRule Editor and PowerShell Cmdlets both use the iControl library for .Net which just uses the base HTTP classes in the .Net framework to open a connection to https://bigip/iControl/iControlPortal.cgi. There is no code in there to specify which ciphers to use. I'll have to dig into the code to see if there's a way around it...
  • Same issue here.. SSLv3 was disabled for us in the weekend on the management interface and now iControl doesn't work
  • Has this issue ever been resolved? Or even documented anywhere with specifics ?

     

    We just got bit with this, on 11.6.2, we'd disabled sslv3 and tlsv1 for the admin gui. Months later, we replaced device certs, and needed to rebuild device trust. FAIL. Set back to defaults sys httpd ssl-ciphersuite DEFAULT sys httpd ssl-protocol all

     

    presto... icontrol worked just fine. SMH