Forum Discussion
nitass
Apr 21, 2015Employee
are you using ec type certificate?
by the way, you are aware of this known issue, aren't you?
sol16461: ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16461.html
this is mine.
configuration
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
myclientssl {
context clientside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 28
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
app-service none
cert-key-chain {
default {
cert default.crt
key default.key
}
ecself {
cert ecself.crt
key ecself.key
}
}
ciphers ECDHE_ECDSA+TLSv1_2
defaults-from clientssl
inherit-certkeychain false
}
client
[root@bip8:Active:Standalone] config openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 C = US, CN = ecself.acme.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = ecself.acme.local
verify return:1
---
Certificate chain
0 s:/C=US/CN=ecself.acme.local
i:/C=US/CN=ecself.acme.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBQTCB6KADAgECAgQJ+EHEMAoGCCqGSM49BAMCMCkxCzAJBgNVBAYTAlVTMRow
GAYDVQQDExFlY3NlbGYuYWNtZS5sb2NhbDAeFw0xNTA0MjEwNjI1MDhaFw0xNjA0
MjAwNjI1MDhaMCkxCzAJBgNVBAYTAlVTMRowGAYDVQQDExFlY3NlbGYuYWNtZS5s
b2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKpSXUae0onZ2idut4qc3T2G
2M5HswHo003+bwMsu1Yg2htp00pseH9SqTH1bEbQrp88xYvK2ZcIqWuWxEDuC84w
CgYIKoZIzj0EAwIDSAAwRQIgC1VXeI+TEemv3X4QqR7kUudBC9a2qYM/2J+SK0n3
B9QCIQDQGxiuat6PfQxHCv/m+1XO3x/wJltjF2nrXsDkQxMehQ==
-----END CERTIFICATE-----
subject=/C=US/CN=ecself.acme.local
issuer=/C=US/CN=ecself.acme.local
---
No client certificate CA names sent
---
SSL handshake has read 654 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: CB197910DEEDB6A2DF02C59D6B5352B5FF3925FC8BB20A67C3EEE078FD78C143
Session-ID-ctx:
Master-Key: 42C3C2C0CDE0901EAFBD6D8EF98D814B5C8A9DBD3BC64ABF369ADCCBD0D7BDF34C28D88F9DF8A8C132773668E85E64A0
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1429607775
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
GET /
This is 101 host.
read:errno=0
trace
[root@ve11c:Active:In Sync] config ssldump -Aed -nni 0.0 port 443
New TCP connection 1: 172.28.24.8(35590) <-> 172.28.24.10(443)
1 1 1429607775.4983 (0.0019) C>SV3.1(300) Handshake
ClientHello
Version 3.3
random[32]=
69 6a e6 86 2a de 06 1c de 80 54 ac c8 10 4c d2
b8 a8 94 77 89 62 3c af 52 aa 02 06 a6 4a 3c c3
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa3
Unknown value 0x9f
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa2
Unknown value 0x9e
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x45
Unknown value 0x44
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Unknown value 0xff
compression methods
NULL
1 2 1429607775.4992 (0.0009) S>CV3.3(95) Handshake
ServerHello
Version 3.3
random[32]=
49 b5 4c ac e4 2a e2 93 a2 bc fa 58 ae d6 f8 ad
16 fb 8e 78 ea f1 34 fa c7 2e 77 f3 7b f2 d9 c9
session_id[32]=
cb 19 79 10 de ed b6 a2 df 02 c5 9d 6b 53 52 b5
ff 39 25 fc 8b b2 0a 67 c3 ee e0 78 fd 78 c1 43
cipherSuite Unknown value 0xc02c
compressionMethod NULL
1 3 1429607775.4992 (0.0000) S>CV3.3(335) Handshake
Certificate
1 4 1429607775.4992 (0.0000) S>CV3.3(149) Handshake
ServerKeyExchange
1 5 1429607775.4992 (0.0000) S>CV3.3(4) Handshake
ServerHelloDone
1 6 1429607775.5072 (0.0079) C>SV3.3(70) Handshake
ClientKeyExchange
1 7 1429607775.5072 (0.0000) C>SV3.3(1) ChangeCipherSpec
1 8 1429607775.5072 (0.0000) C>SV3.3(40) Handshake
1 9 1429607775.5089 (0.0016) S>CV3.3(1) ChangeCipherSpec
1 10 1429607775.5090 (0.0000) S>CV3.3(40) Handshake
1 11 1429607776.9673 (1.4583) C>SV3.3(30) application_data
1 12 1429607776.9724 (0.0050) S>CV3.3(113) application_data
1 1429607776.9724 (0.0000) S>C TCP FIN
1 13 1429607776.9761 (0.0037) C>SV3.3(26) Alert
1 1429607776.9766 (0.0004) C>S TCP FIN