So the monitor cipher list is checked in server side context that is with tmm -serverciphers 'DEFAULT:+SHA:+3DES:+kEDH'
bigd uses openssl cipher library. you could use openssl ciphers (openssl ciphers DEFAULT:+SHA:+3DES:+kEDH -v) instead of tmm --serverciphers.
Also when i did ssl dump for the pool member LTM bigd sent version sslv3.1 or TLS1.0 to the backend server.
Should not LTM send TLS 1.2 first as this is the highest protocol it supports ?
i understand you do see clienthello version 3.1 because server does not support tls 1.2 (on the first connection, bigd sends clienthello version 3.3 but server responds version 3.1. so, bigd will send clienthello version 3.1 on the subsequent connection). to see it, you can remove https monitor, run ssldump and then re-assign the monitor to pool.
e.g.
configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm monitor https https
ltm monitor https https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
destination *:*
interval 5
ip-dscp 0
send "GET /\r\n"
time-until-up 0
timeout 16
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
200.200.200.101:443 {
address 200.200.200.101
session monitor-enabled
state up
}
}
monitor https
}
trace
[root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 443
New TCP connection 1: 200.200.200.11(37012) <-> 200.200.200.101(443)
1 1 1419466427.8307 (0.0036) C>SV3.1(512) Handshake
ClientHello
Version 3.3
random[32]=
91 2f f5 8a 2d 96 6e ae 08 e8 69 7b 99 19 e1 9a
61 1d bb 68 b2 ca 69 3e e0 e4 5b 49 60 6a 48 59
...snipped...
1 2 1419466427.8602 (0.0295) S>CV3.1(81) Handshake
ServerHello
Version 3.1
random[32]=
54 9b 53 0b c5 4e c9 c3 fd 1e c5 11 41 64 f2 b2
12 63 01 46 94 60 20 56 bb 66 fa d7 ef 54 8d e5
session_id[32]=
d8 e6 ba 14 36 0e 43 ce 07 41 d6 19 3b b3 6d 6a
11 f4 90 03 bb ec 0e 55 ef 27 21 e4 3c 47 2e 91
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
...snipped...
New TCP connection 2: 200.200.200.11(37013) <-> 200.200.200.101(443)
2 1 1419466432.8379 (0.0024) C>SV3.1(236) Handshake
ClientHello
Version 3.1
random[32]=
0d 67 58 de 02 72 e0 fd 0e 46 47 41 4d 17 b3 52
19 a7 c1 c3 6b cd 90 3e 93 ce f1 e2 f7 9c 8e f7
resume [32]=
d8 e6 ba 14 36 0e 43 ce 07 41 d6 19 3b b3 6d 6a
11 f4 90 03 bb ec 0e 55 ef 27 21 e4 3c 47 2e 91
...snipped...