F5 irule to log TLS version and SSL Handshake Information

Updated on:

The Overview

In this post, we are going to share the irule we have recently designed for one of our requirement. We basically wanted to log when the client is using a weak cipher or deprecated protocols like SSLV3, TLSv1.0 or TLSv1.1

This iRule would help you get an insight on what protocols or ciphers your clients are using. In case if you are planning to disable the SSLv3 and TLSv1.0 and 1.1 in your F5 LTM for any Virtual IP(domain), It is highly recommended that you enable this script for a week and capture the list of client IP address who are using the weak ciphers and deprecated protocols. So that you can be aware of what is gonna come once you stopped supporting these protocols or ciphers or based on this data you can also take preventive measures to avoid any business loss.

With no further ado. Here comes the iRule

 

The IRule for SSH Handshake Logging

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) }
	{
         log local0. "DETECTED-SSL - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
    }
	elseif { ( [SSL::cipher name] contains "DES" ) }
	{
         log local0. "DETECTED-DES - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
    }
	elseif { ( [SSL::cipher name] contains "RC4" ) }
	{
         log local0. "DETECTED-DES - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
    }
	elseif { ( [SSL::cipher bits] < 128 ) }
	{
         log local0. "DETECTED-LESS128-CIPHER - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
    }
	elseif { ( [SSL::cipher version] equals "TLSv1" ) }
	{
		log local0. "DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
	}
	elseif { ( [SSL::cipher version] equals "TLSv1.1" ) }
	{
		log local0. "DETECTED-TLSv1.1-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"  
	}
}

 

The Sample Log Generated

In the sample log generated on our lab machine, you can see that the Client IP and SSL Cipher version and SSL Cipher name printed along with the VIP name

I can map this iRule to any VIP of my choice which needs to be monitored for weak ciphers (or) for deprecated SSL protocols.

Feb 12 03:42:52 mwi-f5-ltm1 info tmm1[11453]: Rule /Common/CLIENTSSL_HANDSHAKE_LOGGING
<CLIENTSSL_HANDSHAKE>: DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: 205.161.92.14%1 
successfully negotiates TLSv1 - ECDHE-RSA-AES256-CBC-SHA - 256 - For the VIP - /PROD/WWW.TECHOLAF.COM-ANY-VIP

Feb 12 03:42:52 mwi-f5-ltm1 info tmm1[11453]: Rule /Common/CLIENTSSL_HANDSHAKE_LOGGING 
<CLIENTSSL_HANDSHAKE>: DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: 205.168.62.14%1 
successfully negotiates TLSv1 - ECDHE-RSA-AES256-CBC-SHA - 256 - For the VIP - /PROD/WWW.TECHOLAF.COM-ANY-VIP 

Feb 12 03:42:52 mwi-f5-ltm1 info tmm1[11453]: Rule /Common/CLIENTSSL_HANDSHAKE_LOGGING 
<CLIENTSSL_HANDSHAKE>: DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: 192.168.62.18%1 
successfully negotiates TLSv1 - ECDHE-RSA-AES256-CBC-SHA - 256 - For the VIP - /PROD/WWW.TECHOLAF.COM-ANY-VIP 
Feb 12 03:42:52 mwi-f5-ltm1 info tmm[11453]: Rule /Common/CLIENTSSL_HANDSHAKE_LOGGING
<CLIENTSSL_HANDSHAKE>: DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: 72.48.128.30%1 
successfully negotiates TLSv1 - ECDHE-RSA-AES128-CBC-SHA - 256 - For the VIP - /PROD/WWW.TECHOLAF.COM-ANY-VIP

 

 

How to test your iRule is working

Before implementing and waiting for the clients to come and connect. It is good to do a validation from our end by intentionally connecting to the VIP with a Specific protocol version like TLS1.0, TLS1.1, SSLV3

In order to do that, you can use CURL with the protocol definition

curl -v  --tlsv1  www.somedomain.com      
curl -v --tlsv1.0   www.somedomain.com   
curl -v  --tlsv1.1   www.somedomain.com  
curl -v  --tlsv1.2  www.somedomain.com 
curl -v  --sslv2   www.somedomain.com
curl -v  --sslv3   www.somedomain.com

You just have to pass the right protocol definition value to use the specific protocol. Refer the preceding commands snippet for reference

To know more you can use curl – help

Hope it helps.

Rate this article [ratings]

Thanks,
Sarav AK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • F5 irule to mark cookie as secure and httponly
    F5 LTM irule to mark cookie as secure and httponly and Why

    Some Background When it comes to handling the web application related vulnerabilities. Most of the vulnerabilities could be fixed by having the proper configuration at the F5 level. By using the right configuration at the F5. like having proper SSL Cipher at the SSL profile of the VIP (or) creating and…

  • Weblogic 12c Nodemanger Native Version Exception

    Exception: weblogic.nodemanager.common.configexception: native version is enabled but nodemanager native library could not be loaded Solution: For Weblogic10 & 11g Go to your $WL_HOME/common/nodemanager/ Edit the nodemanger.properties file ( If not available create it) Change the value of NativeVersionEnabled=true to NativeVersionEnabled=false Restart the Nodemanager For Weblogic 12c Go to your Domain/nodemanager directory (i.e: /apps/oracle-weblogic/domains/mwidomain/nodemanager/) Edit…

  • F5 - How to List All Virtual Servers with Persistence Profiles

    For F5 BigIP professionals/administrators, it is a tough but indispensable job, to generate reports of virtual servers and their associated resources like iRule, Persistence Profile, Client SSL profile etc. I have already written various scripts to efficiently perform some of these reporting tasks and shared it here. you can find them…

  • F5 Export Pools and their VIP mappings from All Partitions

    The Objective This article is for you if you are looking for a solution for any of these scenarios Export or List All the Pools across All the Partitions Export or List All the Pools and their VIP mapping across all the partitions available Export or List All the Unused…

  • F5-BIG-IP LTM - How to Export Pools and their members as CSV

    If you are looking for a way to export (or) print  F5 Bigip Local Traffic Manager (LTM)  Load Balancer pools and their members in Comma Separated Values (CSV) format. This script is for you Note*: It uses tmsh command line and this has to be executed in the F5 Big-IP Advanced Shell…