Forum Discussion
JD1
Mar 05, 2015Altostratus
IIS 7 - SSL Client certificate set to "Accept" seems to force F5 SSL TCP RST.
Hi all,
I've just upgraded an 11.3.0 HF5 to 11.6.0 HF4 BIG-IP.
We've got a couple of IIS7 servers behind, which (for no apparent reason) the server admins configured the SSL Settings to "Ac...
Brad_Parker_139
Mar 05, 2015Nacreous
It is very possible that the ciphers are no longer compatible. Could your server admins only be allowing SSLv3 and starting with 11.5 the"DEFAULT" cipher list doesn't include SSLv3?
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
- JD1Mar 05, 2015AltostratusI had considered that, and tried adding SSLv3 back in already (for testing), however it would still beg the question "Why only when the server side is configured to accept/request client certificate?". Additionally, ssldump shows that the server side responds with a matching cipher available.
- Brad_Parker_139Mar 05, 2015NacreousWhere does the SSL failure happen. Use tcpdump to gather the handshake failure. Which side is terminating the handshake? Do you have a certificate configured in your SSL server profile?
- JD1Mar 06, 2015Altostratustcpdump (ssldump more so) shows TCP RST from server side. Not a client certificate in server ssl, AFAIK the section for that becomes server authentication certificates (to certify the server is who they say, not to certify the F5 BIGIP is who it says)?
- Brad_Parker_139Mar 06, 2015NacreousIf you configure a certificate in the certificate section of the server ssl profile, it presents that certificate the the server as a client certificate. If you could post the client hello and server hello packet details we may be able to see what is going on.
- JD1Mar 08, 2015AltostratusHi Brad. I don't see a 'client section' the equivalent in the serverssl profile, it seems to show Server Authentication. Unless this is exactly the same function from BigIP perspective. Still, why would I now need to configure a client certificate between bigip and IIS if IIS is set to accept not require and it worked back on 11.3 HF 5? Only thing changed is BigIP version, ciphers quite clearly are supportive of the deprecated sslv3 removal. I'll get the client hello etc asap and post.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects