Forum Discussion

Merry95_171142's avatar
Merry95_171142
Icon for Nimbostratus rankNimbostratus
Mar 03, 2015

Handshake SSL failed for the HTTPS monitor

Hello,   I have a problem with the HTTPS monitor. When no monitor, the traffic is transmitted, and I can see a successfull SSL handshake between F5 and the client, and F5 and the server, using TLS...
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Mar 04, 2015

I've seen this before. It may be an issue with openssl on BigIP or the SSL stack on your server. In this case, the SSL stack on your server doesn't like the version differences in the handshake envelope. Even though it is "complaint" by RFC standards, I've seen more than one server fail handshakes with this behavior. As you can see the monitor is sending a version TLS 1.2 handshake inside of a Client Hello mark with version TLS 1.0. Your server probably wants those to match. Unfortunately, I'm not sure if there's a way on your end to change that behavior in the monitor.

 

Adrian_P's avatar
Adrian_P
Icon for Nimbostratus rankNimbostratus
Jul 03, 2015
Hi Brad, I am having the same issue while configuring HTTPS monitor. The Client Hello from the F5 monitor have mismatched TLS version on the Handshake (TLS 1.0) and Handshake protocol (TLS 1.2) and the server send a RST, ACK straight away. Is this behaviour is going to be fixed in the next release ? We are running 11.6.0 Engineering Hotfix Version 4.107.420