How to identify if there is an SSL/TLS protocol mismatch between Client and F5 LTM?
1. Check the protocol version used by the client in wireshark captures under the “Client Hello” packet
2. Check the SSL/TLS protocol version supported by the LTM for a particular VIP
- Run curl checks if possible from a remote server
curl -Ik https://site1.dc1.networkology.net --sslv2 curl -Ik https://site1.dc1.networkology.net --sslv3 curl -Ik https://site1.dc1.networkology.net --tlsv1 curl -Ik https://site1.dc1.networkology.net --tlsv1.0 curl -Ik https://site1.dc1.networkology.net --tlsv1.1 curl -Ik https://site1.dc1.networkology.net --tlsv1.2
- Check if any protocol is negated in ciphers under client-ssl profile;
tmsh list ltm virtual <VIRTUAL-SERVER> { profiles } tmsh list ltm profile client-ssl <PROFILE-NAME> { ciphers } ltm profile client-ssl site1.dc1.networkology.net-clientssl { ciphers !TLSv1:DEFAULT }
- Check if the protocol is negated in options list under client-ssl profile;
tmsh list ltm profile client-ssl <PROFILE-NAME> { options } ltm profile client-ssl site1.dc1.networkology.net-clientssl { options { no-tlsv1 } }
- Check if the DEFAULT cipher string does not have the required protocol in the list;
tmm --clientciphers DEFAULT | grep "TLS1.1" tmm --clientciphers DEFAULT | grep "TLS1" tmm --clientciphers DEFAULT | grep "TLS1.2"
Supplementary information:
List of cipher suites supported under 11.x to 13.x version – https://support.f5.com/csp/article/K13163
List of cipher/protocols under the DEFAULT cipher string for version 11.x and 12.x – https://support.f5.com/csp/article/K13171
The <cipher string> can be any of the standard cipher string identifiers, such as ALL, DEFAULT, LOW, MEDIUM, HIGH, and NULL.