Forum Discussion

smilanko_261688's avatar
smilanko_261688
Icon for Cirrus rankCirrus
May 11, 2016

Configuring F5 Re-Encryption

I think at this point, I have looked at every guide ever created on this domain, and am rather stumped to what is causing my configuration to fail. Here is a bit of background:   I have a tomcat s...
application delivery
BIG-IP
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 12, 2016

Reformatting:

1 1 0.0266 (0.0266) C>S 
    SSLv2 compatible client hello 
    Version 3.1 
    cipher suites 
        TLS_RSA_WITH_RC4_128_MD5 
        TLS_RSA_WITH_RC4_128_SHA 
        TLS_RSA_WITH_AES_128_CBC_SHA 
        TLS_RSA_WITH_AES_256_CBC_SHA 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA 
        TLS_RSA_WITH_DES_CBC_SHA 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
        TLS_DHE_RSA_WITH_DES_CBC_SHA 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 
        TLS_RSA_EXPORT_WITH_RC4_40_MD5 
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 
        TLS_DH_anon_WITH_RC4_128_MD5 
        TLS_DH_anon_WITH_AES_128_CBC_SHA 
        TLS_DH_anon_WITH_AES_256_CBC_SHA 
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 
        TLS_DH_anon_WITH_DES_CBC_SHA 
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 
        TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
        TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 
        SSL2_RC4_128_WITH_MD5 
        SSL2_DES_64_CBC_WITH_MD5 
        SSL2_DES_192_EDE3_CBC_WITH_MD5 
        SSL2_RC4_128_EXPORT40_WITH_MD5 
        SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 
        SSL2_RC2_CBC_128_CBC_WITH_MD5 
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
TCP: 10.30.15.67(8443) -> 10.10.20.190(60064) Seq 1045211207.(0) ACK 3197015237 
TCP: 10.30.15.67(8443) -> 10.10.20.190(60064) Seq 1045211207.(0) ACK 3197015237 FIN 
1 0.0270 (0.0004) S>C TCP FIN 
TCP: 10.10.20.190(60064) -> 10.30.15.67(8443) Seq 3197015237.(0) ACK 1045211208 
TCP: 10.10.20.190(60064) -> 10.30.15.67(8443) Seq 3197015237.(0) ACK 1045211208 RST 
1 0.0717 (0.0446) C>S TCP RST

So I'm going to assume that you're looking at the client side of the F5 and that the client in this capture is actually the browser you're testing with? Or are you looking at the server side of the F5, and if so, what version of BIG-IP are you running?

You can see from the capture that the client sends an SSLv2 compatible ClientHello and then a list of REALLY old, deprecated and unsafe ciphers to the server. The server then immediately resets the connection. If I had to put money on it, I'd say the server was resetting based on the terrible list of ciphers sent by the client, and so it depends on which side of the F5 you took this capture, and who was the client (your browser of the F5 server side).