Forum Discussion

AaronMLong_1021's avatar
Feb 18, 2016

TLS support in iRule editor

After updating my supported cipher/protocol list on the default clientssl profile on my BigIP LTM:

 

NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:-RC4:@SPEED

 

I'm no longer able to connect the F5 iRule editor to my BigIP. Is 0.11.6.1 only supporting TLS1.0?

 

  • Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.

     

  • mo_99289's avatar
    mo_99289
    Historic F5 Account

    when using the cipher string you provided, the cipher used by default clientssl profile are below, doesn't contain TLS1.0. so it might be the cause. you could capture ssl session btw iRule Editor and the bigip to find out more info.

                      ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
     1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
     2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
     3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
     4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
     5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
     6: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
     7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
     8:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS   
     9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS   
    10:    56  DHE-DSS-AES256-SHA               256  TLS1.1  Native  AES       SHA     DHE/DSS   
    11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES       SHA     DHE/DSS   
    12:    56  DHE-DSS-AES256-SHA               256  DTLS1   Native  AES       SHA     DHE/DSS   
    13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA  
    14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
    15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA  
    16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
    17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.1  Native  AES       SHA     ECDH_RSA  
    18: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA  
    19: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.1  Native  AES       SHA     ECDH_ECDSA
    20: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES       SHA     ECDH_ECDSA
    21:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
    22:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
    23:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
    24:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
    25:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
    26: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
    27: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA 
    28: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  Native  DES       SHA     ECDHE_ECDSA
    29: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  Native  DES       SHA     ECDHE_ECDSA
    30: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.1  Native  DES       SHA     ECDH_RSA  
    31: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.2  Native  DES       SHA     ECDH_RSA  
    32: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.1  Native  DES       SHA     ECDH_ECDSA
    33: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.2  Native  DES       SHA     ECDH_ECDSA
    34:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA       
    35:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA       
    36:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA       
    37: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
    38: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
    39: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
    40: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
    41: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
    42: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
    43: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
    44: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
    45:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS   
    46:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS   
    47:    50  DHE-DSS-AES128-SHA               128  TLS1.1  Native  AES       SHA     DHE/DSS   
    48:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES       SHA     DHE/DSS   
    49:    50  DHE-DSS-AES128-SHA               128  DTLS1   Native  AES       SHA     DHE/DSS   
    50: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA  
    51: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
    52: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA  
    53: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
    54: 49166  ECDH-RSA-AES128-SHA              128  TLS1.1  Native  AES       SHA     ECDH_RSA  
    55: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES       SHA     ECDH_RSA  
    56: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.1  Native  AES       SHA     ECDH_ECDSA
    57: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES       SHA     ECDH_ECDSA
    58:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
    59:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
    60:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
    61:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
    62:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
    63:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
    64:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
    65:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA       
    66:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA       
    67:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS   
    68:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS   
    69:    65  CAMELLIA128-SHA                  128  TLS1.1  Native  CAMELLIA  SHA     RSA       
    70:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA       
    
  • Hi Aaron,

     

    the iRule Editor is unfortunately using very unsecure SSL/TLS libs and/or settings.

     

    Beside of the missing TLS1.1, TLS1.2 support, the iRule editor is even not checking for trusted certificates, name matchings, and revocation information. So if security is a concern, then better use a desktop based SSL-Inspection proxy (e.g. Fiddler2), to connect the iRule Editor to your F5.

     

    Cheers, Kai

     

  • Thanks, Kai & Mo. Any chance that better TLS support is going to show up in an upcoming update of the iRule editor? I can certainly use Fiddler to proxy it, but it does seem silly.