2-Way SSL issue on v11.1

Question

I have box that I upgraded from v10.2.0 HF 2 to v11.1 HF 2, and now all the applications that have server side 2 way ssl are not working. I have a case open with support to look into this, but I thought I would see if anyone has any suggestions. I have turned off re-negotiation so that should not be the issue. It appears that when I look at the ssldump that after the ServerHelloDone I see the ASM send a RST. I have 4 applications that connect to different web servers on the back end that perform 2 way ssl (client cert auth) and none of them are working so something is wrong with the configuration. Has anyone had any experience with this?

techgeeeg · Answer

Hi Mike,
&nbsp;I have come across a similar sort of issue and what i have found up to now is that the uploaded ssl.crt and ssl.key are missing from the folder where they should be listed why this is happening I have no idea but i believe this is the main reason this problem is happening let the support help you in this I am also waiting for them to revert back to me and help me out.&nbsp;
&nbsp;Regards,&nbsp;&nbsp;

nitass · Answer

mine is 11.1.0. i do not configure trusted certificate authorities in serverssl profile since i think it might not be relevant. 
  
 root@ve1110(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.1.0
  Build    1943.0
  Edition  Final
  Date     Sun Nov 20 18:27:50 PST 2011

root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        myserverssl {
            context serverside
        }
        tcp { }
    }
    snat automap
    vlans-disabled
}
root@ve1110(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        172.28.19.79:443 {
            address 172.28.19.79
        }
    }
    min-active-members 1
}
root@ve1110(Active)(/Common)(tmos) list ltm profile server-ssl myserverssl
ltm profile server-ssl myserverssl {
    app-service none
    cert client.crt
    defaults-from serverssl
    key client.key
}

accessing pool member directly

[root@ve1110:Active] config  curl -Ik https://172.28.19.79
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

[root@ve1110:Active] config  curl -Ik https://172.28.19.79 --cert /var/tmp/client.crt --key /var/tmp/client.key
HTTP/1.1 200 OK
Date: Sat, 14 Apr 2012 07:40:21 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8

accessing virtual server

[root@ve1110:Active] config  curl -Ik https://172.28.19.252
HTTP/1.1 200 OK
Date: Sat, 14 Apr 2012 07:40:37 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8

Forum Discussion

2-Way SSL issue on v11.1

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

2 way ssl facing pool member

Re: v11.1–External File Access from iRules via iFiles

iApp for DNS Services (v11.1)

Mgmt monitor issue

XC - azure cloud Credentials issues

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS