Forum Discussion
Nimbostratus2 way ssl between LMT 11.3HF10 and LTM 11.6
Hello,
We have this problem when we are trying to make 2 way ssl connection between two F5 LTM device. The one which starts the connection is LTM 11.3HF10 and destination has LTM 11.6. The problem is that SSL-connection wont establish. Both are using default chiphers and connection fails at SSL-handshake. If we take 2 way away and use only 1 way, it works no probs.
This is TCP dump from 11.6 device (had to mask a little):
New TCP connection 1: XXX.XXX.XXX.XXX(XXXXX) <-> YYY.YYY.YYY.YYY(YYYYY)
1 1 0.0011 (0.0011) C>SV3.1(57) Handshake
ClientHello
Version 3.1
random[32]=
...
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Unknown value 0xff
compression methods
NULL
1 2 0.0011 (0.0000) S>CV3.1(81) Handshake
ServerHello
Version 3.1
random[32]=
...
session_id[32]=
...
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
1 3 0.0011 (0.0000) S>CV3.1(2985) Handshake
Certificate
Subject
...
Issuer
...
Serial ...
Extensions
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Basic Constraints
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Extended Key Usage
Extension: X509v3 Certificate Policies
Extension: X509v3 Authority Key Identifier
Extension: X509v3 CRL Distribution Points
Extension: Authority Information Access
Extension: 1.3.6.1.4.1.11129.2.4.2
Subject
...
Issuer
...
Extensions
Extension: Authority Information Access
Extension: X509v3 Basic Constraints
Critical
Extension: X509v3 Certificate Policies
Extension: X509v3 CRL Distribution Points
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Subject Key Identifier
Extension: X509v3 Authority Key Identifier
1 4 0.0011 (0.0000) S>CV3.1(302) Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
certificate_authority
...
certificate_authority
...
1 5 0.0011 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 6 0.0031 (0.0019) C>SV3.1(7) Handshake
Certificate
1 7 0.0031 (0.0000) C>SV3.1(262) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[256]=
...
1 8 0.0031 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 9 0.0031 (0.0000) C>SV3.1(48) Handshake
1 10 0.0032 (0.0000) S>CV3.1(2) Alert
level fatal
value handshake_failure
1 0.0032 (0.0000) S>C TCP FIN
1 0.0044 (0.0012) C>S TCP RST
Does anyone have any idea how should we setup chiphers or some other settings in ssl-profiles to get this connection working with 2-way SSL. In Source side (LTM 11.3HF10) we serverssl profile that has:
Certificate: client_type_cert
Key: matching_key_for_above_client_cert
Chain: matching_chain_for_above_certificate
Server Authentication:
Server Certificate: require
Authenticate Name: name_of_destination_side_sertificate
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_destination_side_certificate
Others are defaults from serverssl profile
Destination side (LTM 11.6) has clientssl profile that has:
Certificate: server_cert
Key: matching_key_for_above_server_cert
Chain: matching_chain_for_above_certificate
CLient Authentication:
Server Certificate: require
Frequency: allways
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_source_side_client_certificate
Others are defaults from clientssl profile
i appreciate all your help.
-Tommi
2 Replies
theCookEmployee
Hi Tommi, I would start with seeing if you can get a better error out of the client side of the 11.6. device. To do this, in the clientssl profile, uncheck the "generic alert" option. With that enabled it will always fail with "handshake_failure". Unchecking it might get you something more specific to help lead you in the right direction. -Tim
TomerizActually that dump is from ssldump and i don't think it can get any more detailed error than that. Im just thinking that has that 11.6 so much patched SSL implement that it doesnt support any 11.3hf10 ciphers By default.
-Tommi
