Forum Discussion
Bjoern-30_35567
Nimbostratus
NimbostratusCombine SSL Handshake failed messages with cause
Hello,
if an SSL Handshake fails the F5 LTM creates for example the following log entry
info tmm1[11382]: 01260013:6: SSL Handshake failed for TCP S_IP:S_Port -> Dest_IP:Dest_Port
and...
Bjoern-30_35567Nimbostratus
NimbostratusI have written an iRule to generate different log messages to solve this problem, but it doesn't work, because of the restrictive settings in the ssl profile.
While accessing the vs with tls 1.0 i get no log message from this iRule. The same happens while accessing with weak ciphers / ciphers, which are not configured in the ssl profile.
Accessing with tls 1.2 and a supported cipher suite and no client certificate generates the right log message.
when CLIENTSSL_CLIENTHELLO {
Initiale Variablenzuweisung
set ssl_ciphers_ok 0
set count_cmd "SSL::cert 0"
set verify_cmd "SSL::verify_result"
set failure_cmd "X509::verify_cert_error_string"
log local0.info " [IP::client_addr] [SSL::cipher name] [SSL::cipher version] "
Checking TLS-Version
if {[SSL::cipher version] ne "TLSv1.2" } {
log local0.info " Client [IP::client_addr] no TLS 1.2 accessing [virtual]."
drop
}
Checking cipher suites
if {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDHE-RSA-AES128-GCM-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDH-RSA-AES256-GCM-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDH-RSA-AES128-GCM-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "DHE-RSA-AES256-GCM-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "DHE-RSA-AES128-GCM-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDHE-RSA-AES128-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "DHE-RSA-AES256-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "DHE-RSA-AES128-SHA256" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDH-RSA-AES256-SHA384" } {
set ssl_ciphers_ok 1
} elseif {[SSL::cipher name] == "ECDH-RSA-AES128-SHA256" } {
set ssl_ciphers_ok 1
} else {
set ssl_ciphers_ok 0
log local0.info " Client [IP::client_addr] offers no supported Cipher Suites accessing [virtual]."
drop
reject
}
}
when CLIENTSSL_CLIENTCERT {
Is there a client cert present?
catch {eval $count_cmd} count_result
if {$count_result == ""} {
log local0.info "Client [IP::client_addr] has send no Client Certificate accessing [virtual].'"
drop
reject
} elseif {$count_result ne ""} {
catch {eval $verify_cmd} verify_result
log local0.info "Client [IP::client_addr] $verify_result"
if { $verify_result ne 0 } {
catch {eval $failure_cmd $verify_result } failure_result
if {$static::CatchSSLErrorsDebug == 1} { log local0.info "Client [IP::client_addr] X509::verify_cert_error_string value is... '$failure_result'" }
drop
reject
}
}
}
