Forum Discussion

Rodolphe_AUBINE's avatar
Rodolphe_AUBINE
Icon for Nimbostratus rankNimbostratus
Jun 20, 2012

How to SSL debug in details...

Hi all,

 

 

I have a virtual server that is set in two-way SSL authentication and I have a lot of trouble to find the various causes related to the handshake phase for example.

 

 

This is not my first virtual server in this mode. Most of my clients connect perfectly to the latter but one is still ko.

 

 

This is actually a client through an Alteon 2424 SSL to establish connections specializes in background.

 

 

SSL Server side profile everything is OK: by disabling certificate checking customer, external PKI service that sold me the SSL Server Certificate test and proves that everything is OK: certificate, chain intermediate and root.

 

SSL Client side profile, the configuration is OK (require level 2 once as usual).

 

 

I have already activated the DEBUG level logs for SSL visible in the log / var / log / ltm. I also placed iRules for all SSL-related events to view details of each step.

 

 

Question: how to find the explanation or exact mapping of these technical messages examples :

 

 

debug tmm[5581]: 01260009:7: Connection error: ssl_codec_parse:521: invalid record length (51)

 

 

debug tmm[5581]: 01260009:7: Connection error: ssl_shim_vfycert:2368: application verification failure (42)

 

 

tmm[5581]: 01260013:6: SSL Handshake failed for TCP from XXX.XXX.XXX.XXX:443 to YYY.YYY.YYY.YYY:ZZZZZ

 

 

I have also check this URI :

 

https://devcentral.f5.com/wiki/iRules.SSL__verify_result.ashx

 

http://www.openssl.org/docs/apps/ve...IAGNOSTICS

 

 

Thanks in advance,

 

 

Sorry for english words, i am french !

 

Rodolphe

 

  • Hi Rodolphe,

     

     

    I couldn't find any relevant info on these error messages. I suggest opening a case with F5 Support to have them research these errors.

     

     

    Aaron
  • Happy to see that I really have searched everywhere....

     

     

    Thank you Aaron ! Let's go write a case....