Forum Discussion
Cirrusmonitor for adfs server (GTM)
I cannot create a https monitor for our adfs servers from the GTM. I have tried many different ciphers. Tried offering only the cipher used by my Firefox browser. Curl shows the TLS handshake soundly rejected. Packet captures and firewall logs suggest the same thing - TLS handshake a non-starter.
My monitor send-string is:
GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost: adfs.open-techs.com
looking for html title.
Any suggestions?
[root@DNS2:Active:Standalone] tmp curl -v2 https://adfs.open-techs.com/adfs/ls/IdpInitiatedSignon.aspx
- About to connect() to adfs.open-techs.com port 443 (0)
- Trying 12.178.113.8... connected
- Connected to adfs.open-techs.com (12.178.113.8) port 443 (0)
- successfully set certificate verify locations:
- CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
- SSLv2, Client hello (1):
- Unknown SSL protocol error in connection to adfs.open-techs.com:443
- Closing connection 0 curl: (35) Unknown SSL protocol error in connection to adfs.open-techs.com:443 [root@DNS2:Active:Standalone] tmp
15 Replies
- Kevin_Stewart
Employee
It seems odd that the monitor is attempting to do SSLv2. What cipher string are you using? Do you have anything in the Client Certificate field?
To verify that the monitor is or isn't trying to do SSLv2, do an ssldump capture on the server side VLAN:
ssldump -AdNn -i 0.0 port 443 and host [IP of pool member]This should display the SSL handshake and show what ciphers and protocols each side is trying to negotiate and where it's failing.
OTS02Thanks for your help Kevin. I just happened to dictate SSLv2 in that particular curl that I posted. I tried every curl option I could dig up. I have nothing in the client certificate field, as the site does not require a client cert. Browsers have no problem pulling up the site.
output of ssldump:
[root@DNS2:Active:Standalone] config ssldump -AdNn -i 0.0 port 443 and host 8.24.31.81
New TCP connection 1: 8.24.31.100(33508) <-> 8.24.31.81(443) 1 1 0.0020 (0.0020) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
SSL2_CK_RC2
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
SSL2_CK_DES
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC2_EXPORT40
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL2_CK_RC4_EXPORT40
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL2_CK_3DES
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x45
Unknown value 0x44
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xff
1 0.0025 (0.0004) S>C TCP RST
then repeats...
- Kevin_Stewart
Just so weird that it's trying to do SSLv2. What BIG-IP version are you on? What do you have in the Cipher List field of the HTTPS monitor?
- OTS02
BIG-IP 11.4.1 Build 635.0 Hotfix HF2
At the moment, I have the default - DEFAULT:+SHA:+3DES:+kEDH. But I have tried many specific ciphers, including the very one that I took from a Fiddler capture of Firefox hitting the site (don't recall what it was).
I asked the system admin if he could look at the logs in the adfs server, but he said that there is nothing to look at. adfs is kind of an odd bird, in that it not only serves as a proxy, but does not use IIS to serve the web page.
- OTS02
I set up a test pool on an LTM (11.6.0 HF4) that is on the same subnet. Here is the output:
[root@OTS_WEBLTM_B:Active:Changes Pending] config ssldump -AdNn -i 0.0 port 443 and host 10.189.0.8 New TCP connection 1: 10.xxx.0.44(37668) <-> 10.xxx.0.8(443)
1 1 0.0013 (0.0013) C>SV3.1(512) Handshake
ClientHello Version 3.3 random[32]= f6 04 14 2f 4d 00 c0 80 88 26 bc 3f 2b 5d e4 d0 f0 0e 8e f3 f8 ad 8d 2f 38 43 82 15 68 ce 12 09 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0x9d TLS_RSA_WITH_AES_256_CBC_SHA256 Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0x9c TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xc00f Unknown value 0xc005 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xc00e Unknown value 0xc004 TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Unknown value 0xc012 Unknown value 0xc008 Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xa3 Unknown value 0x9f TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Unknown value 0xa2 Unknown value 0x9e TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL1 0.0015 (0.0002) S>C TCP RST
- Kevin_Stewart
So let's go back to a cURL test:
curl -k https://[adfs server IP]/adfs/ls/IdpInitiatedSignon.aspxand run an ssldump at the same time. Does that request fail?
- OTS02
I did this on the LTM, since this eliminates the firewall.
[root@OTS_WEBLTM_B:Active:Changes Pending] config ssldump -AdNn -i 0.0 port 443 and host 10.xxx.0.8
New TCP connection 1: 10.xxx.0.44(52745) <-> 10.xxx.0.8(443)
1 1 0.0508 (0.0508) C>SV3.1(512) Handshake
ClientHello Version 3.3 random[32]= 92 63 70 c1 5d 43 40 9b cf 01 b2 2d 47 8b 3d 01 3a e5 48 84 5d cc 6c 2f 1c 78 e1 87 5e 3d 6b 72 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xa3 Unknown value 0x9f TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0xc00f Unknown value 0xc005 Unknown value 0x9d TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xa2 Unknown value 0x9e TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x45 Unknown value 0x44 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0xc00e Unknown value 0xc004 Unknown value 0x9c TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods NULL1 0.0511 (0.0003) S>C TCP RST
- Kevin_Stewart
So it looks like you're getting the same or similar response (it isn't working). Suffice it to say that if it doesn't work in cURL, it can't possibly work in the monitor either.
Are you certain that ADFS is listening on HTTPS? Port 443?
Unless something's missing, it looks like you're getting a reset on the client's initial ClientHello message. If ADFS is doing HTTPS on port 443, is there a unique cipher requirement? Can you connect to this ADFS box from anywhere?
- OTS02
https://adfs.open-techs.com/adfs/ls/IdpInitiatedSignon.aspx should be available to you from where you are.
Like I say, browsers don't have a problem with it.
I did check the firewall logs to verify that 443 is the only thing going on with it.
- OTS02
Unless the adfs server doesn't care for the user-agent. But I don't think user-agent even comes into play during TLS handshake...
