Forum Discussion
Nimbostratuscurl SSL error and external weak ciphers
I have configured a health monitor correspond to a VIP.When I do a curl test to the sites url, I get
Unknown SSL protocol error in connection to x.x.x.x
When I examined the site via ssllabs , it has multiple issues with weak ciphers ...
Is the weak ciphers I reason why the curl test is failing ...
Jad_Tabbara__J1Cirrostratus
Could you print the complete curl command ?
Did you use the -k argument to ignore SSL verifications errors ?
jaikumar_f5Noctilucent
I think its more of a handshake negotiation failure when you did a curl test. But ssllabs perform all sorts of tests from sslv3 to tls1.2 and definitely with multiple ciphers.
So when do you a curl from your machine or even from the F5 itself, is it failing.
Try doing, Curl to the VIP and to the backend pool members. You would know which all SSL versions the actual VIP and the backend servers really supports. Based on that compare your clientssl and serverssl profiles. You can do the same with ciphers too if version is not the problem.
openssl s_client -connect IP:PORT -ssl3 openssl s_client -connect IP:PORT -tls1 openssl s_client -connect IP:PORT -tls1_1 openssl s_client -connect IP:PORT -tls1_2Or even a straight forward approach is to go with the SSLDUMP. Do a tcpdump first,
tcpdump -npi 0.0 -vvv -s0 '(host and host ) or (host and )' -w /var/tmp/ssl_test.pcapssldump -nr /var/tmp/ssl_test.cap > /var/tmp/ssl_test_results.txtOpen /var/tmp/ssl_test_results.txt, this will show you which version and which ciphers it took during handshake (3.1 is tls1.0 and 3.3 is tls1_2)
- Jad_Tabbara__J1
Hello Gefela,
You will need to create an Server SSL Profile, and customize this profile to send the FQDN using the "Server Name" option.
So you only need to specify the FQDN in the "Server Name", when the F5 will initiate SSL negotiation it will send this FQDN and backends they will be happy.
Could you please try it and give a feedback.
Thanks