I'd like to disable everything older than TLS 1.2 on a F5 big ip, and before doing so I'd like to report on all servers using older ciphers for remediation.
Even if this is just a list of IP addresses, or a debug output I can parse, or how can I obtain similar data to accomplish the same?
You can set iRule that will log connections to remote log server. That will require syslog server and a pool that contain it. You can log all TLS types to know which hosts are ok and which require upgrade, it also helps generating report:
when HTTP_REQUEST {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
if {[SSL::cipher version] equals "TLSv1"} {
HSL::send $hsl "TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
if {[SSL::cipher version] equals "TLSv1.1" } {
HSL::send $hsl "TLSv1.1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
if {[SSL::cipher version] equals "TLSv1.2" } {
HSL::send $hsl "TLSv1.2 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
}
