F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Jul 23, 2015

monitor for adfs server (GTM)

I cannot create a https monitor for our adfs servers from the GTM. I have tried many different ciphers. Tried offering only the cipher used by my Firefox browser. Curl shows the TLS handshake soundly rejected. Packet captures and firewall logs suggest the same thing - TLS handshake a non-starter.

 

My monitor send-string is:

 

GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost: adfs.open-techs.com

 

looking for html title.

 

Any suggestions?

 

[root@DNS2:Active:Standalone] tmp curl -v2 https://adfs.open-techs.com/adfs/ls/IdpInitiatedSignon.aspx

 

  • About to connect() to adfs.open-techs.com port 443 (0)
  • Trying 12.178.113.8... connected
  • Connected to adfs.open-techs.com (12.178.113.8) port 443 (0)
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
  • SSLv2, Client hello (1):
  • Unknown SSL protocol error in connection to adfs.open-techs.com:443
  • Closing connection 0 curl: (35) Unknown SSL protocol error in connection to adfs.open-techs.com:443 [root@DNS2:Active:Standalone] tmp

15 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 24, 2015

    It seems odd that the monitor is attempting to do SSLv2. What cipher string are you using? Do you have anything in the Client Certificate field?

    To verify that the monitor is or isn't trying to do SSLv2, do an ssldump capture on the server side VLAN:

    ssldump -AdNn -i 0.0 port 443 and host [IP of pool member]

    This should display the SSL handshake and show what ciphers and protocols each side is trying to negotiate and where it's failing.

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    Thanks for your help Kevin. I just happened to dictate SSLv2 in that particular curl that I posted. I tried every curl option I could dig up. I have nothing in the client certificate field, as the site does not require a client cert. Browsers have no problem pulling up the site.

     

    output of ssldump:

     

    [root@DNS2:Active:Standalone] config ssldump -AdNn -i 0.0 port 443 and host 8.24.31.81

     

    New TCP connection 1: 8.24.31.100(33508) <-> 8.24.31.81(443) 1 1 0.0020 (0.0020) C>S SSLv2 compatible client hello

     

    Version 3.1

     

    cipher suites

     

    SSL2_CK_RC2

     

    TLS_RSA_WITH_RC4_128_MD5

     

    SSL2_CK_RC4

     

    SSL2_CK_DES

     

    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

     

    SSL2_CK_RC2_EXPORT40

     

    TLS_RSA_EXPORT_WITH_RC4_40_MD5

     

    SSL2_CK_RC4_EXPORT40

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_DES_CBC_SHA

     

    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

     

    SSL2_CK_3DES

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

     

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

     

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

     

    Unknown value 0x45

     

    Unknown value 0x44

     

    TLS_DHE_RSA_WITH_DES_CBC_SHA

     

    TLS_DHE_DSS_WITH_DES_CBC_SHA

     

    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

     

    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

     

    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    Unknown value 0xff

     

    1 0.0025 (0.0004) S>C TCP RST

     

    then repeats...

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 24, 2015

    Just so weird that it's trying to do SSLv2. What BIG-IP version are you on? What do you have in the Cipher List field of the HTTPS monitor?

     

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    BIG-IP 11.4.1 Build 635.0 Hotfix HF2

     

    At the moment, I have the default - DEFAULT:+SHA:+3DES:+kEDH. But I have tried many specific ciphers, including the very one that I took from a Fiddler capture of Firefox hitting the site (don't recall what it was).

     

    I asked the system admin if he could look at the logs in the adfs server, but he said that there is nothing to look at. adfs is kind of an odd bird, in that it not only serves as a proxy, but does not use IIS to serve the web page.

     

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    I set up a test pool on an LTM (11.6.0 HF4) that is on the same subnet. Here is the output:

    [root@OTS_WEBLTM_B:Active:Changes Pending] config ssldump -AdNn -i 0.0 port 443 and host 10.189.0.8 New TCP connection 1: 10.xxx.0.44(37668) <-> 10.xxx.0.8(443)

    1 1 0.0013 (0.0013) C>SV3.1(512) Handshake

      ClientHello

    Version 3.3

    random[32]=

      f6 04 14 2f 4d 00 c0 80 88 26 bc 3f 2b 5d e4 d0

      f0 0e 8e f3 f8 ad 8d 2f 38 43 82 15 68 ce 12 09

    cipher suites

    Unknown value 0xc030

    Unknown value 0xc02c

    Unknown value 0xc028

    Unknown value 0xc024

    Unknown value 0xc032

    Unknown value 0xc02e

    Unknown value 0xc02a

    Unknown value 0xc026

    Unknown value 0x9d

    TLS_RSA_WITH_AES_256_CBC_SHA256

    Unknown value 0xc02f

    Unknown value 0xc02b

    Unknown value 0xc027

    Unknown value 0xc023

    Unknown value 0xc031

    Unknown value 0xc02d

    Unknown value 0xc029

    Unknown value 0xc025

    Unknown value 0x9c

    TLS_RSA_WITH_AES_128_CBC_SHA256

    TLS_RSA_WITH_RC4_128_MD5

    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

    TLS_RSA_EXPORT_WITH_RC4_40_MD5

    Unknown value 0xc014

    Unknown value 0xc00a

    Unknown value 0xc00f

    Unknown value 0xc005

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    Unknown value 0xc013

    Unknown value 0xc009

    Unknown value 0xc00e

    Unknown value 0xc004

    TLS_RSA_WITH_AES_128_CBC_SHA

    Unknown value 0x96

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    Unknown value 0xc011

    Unknown value 0xc007

    Unknown value 0xc00c

    Unknown value 0xc002

    TLS_RSA_WITH_RC4_128_SHA

    TLS_RSA_WITH_DES_CBC_SHA

    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

    Unknown value 0xc012

    Unknown value 0xc008

    Unknown value 0xc00d

    Unknown value 0xc003

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    Unknown value 0xa3

    Unknown value 0x9f

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

    Unknown value 0xa2

    Unknown value 0x9e

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

    Unknown value 0x9a

    Unknown value 0x99

    Unknown value 0x45

    Unknown value 0x44

    TLS_DHE_RSA_WITH_DES_CBC_SHA

    TLS_DHE_DSS_WITH_DES_CBC_SHA

    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

    Unknown value 0xff

    compression methods

              NULL

    1 0.0015 (0.0002) S>C TCP RST

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 24, 2015

    So let's go back to a cURL test:

    curl -k https://[adfs server IP]/adfs/ls/IdpInitiatedSignon.aspx

    and run an ssldump at the same time. Does that request fail?

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    I did this on the LTM, since this eliminates the firewall.

    [root@OTS_WEBLTM_B:Active:Changes Pending] config ssldump -AdNn -i 0.0 port 443 and host 10.xxx.0.8

    New TCP connection 1: 10.xxx.0.44(52745) <-> 10.xxx.0.8(443)

    1 1 0.0508 (0.0508) C>SV3.1(512) Handshake

      ClientHello

    Version 3.3

    random[32]=

      92 63 70 c1 5d 43 40 9b cf 01 b2 2d 47 8b 3d 01

      3a e5 48 84 5d cc 6c 2f 1c 78 e1 87 5e 3d 6b 72

    cipher suites

    Unknown value 0xc030

    Unknown value 0xc02c

    Unknown value 0xc028

    Unknown value 0xc024

    Unknown value 0xc014

    Unknown value 0xc00a

    Unknown value 0xa3

    Unknown value 0x9f

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

    Unknown value 0xc032

    Unknown value 0xc02e

    Unknown value 0xc02a

    Unknown value 0xc026

    Unknown value 0xc00f

    Unknown value 0xc005

    Unknown value 0x9d

    TLS_RSA_WITH_AES_256_CBC_SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    Unknown value 0xc02f

    Unknown value 0xc02b

    Unknown value 0xc027

    Unknown value 0xc023

    Unknown value 0xc013

    Unknown value 0xc009

    Unknown value 0xa2

    Unknown value 0x9e

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

    Unknown value 0x9a

    Unknown value 0x99

    Unknown value 0x45

    Unknown value 0x44

    Unknown value 0xc031

    Unknown value 0xc02d

    Unknown value 0xc029

    Unknown value 0xc025

    Unknown value 0xc00e

    Unknown value 0xc004

    Unknown value 0x9c

    TLS_RSA_WITH_AES_128_CBC_SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA

    Unknown value 0x96

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    Unknown value 0xc011

    Unknown value 0xc007

    Unknown value 0xc00c

    Unknown value 0xc002

    TLS_RSA_WITH_RC4_128_SHA

    TLS_RSA_WITH_RC4_128_MD5

    Unknown value 0xc012

    Unknown value 0xc008

    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

    Unknown value 0xc00d

    Unknown value 0xc003

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    TLS_DHE_RSA_WITH_DES_CBC_SHA

    TLS_DHE_DSS_WITH_DES_CBC_SHA

    TLS_RSA_WITH_DES_CBC_SHA

    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

    TLS_RSA_EXPORT_WITH_RC4_40_MD5

    Unknown value 0xff

    compression methods

              NULL

    1 0.0511 (0.0003) S>C TCP RST

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 24, 2015

    So it looks like you're getting the same or similar response (it isn't working). Suffice it to say that if it doesn't work in cURL, it can't possibly work in the monitor either.

     

    Are you certain that ADFS is listening on HTTPS? Port 443?

     

    Unless something's missing, it looks like you're getting a reset on the client's initial ClientHello message. If ADFS is doing HTTPS on port 443, is there a unique cipher requirement? Can you connect to this ADFS box from anywhere?

     

  • OTS02's avatar
    OTS02
    Icon for Cirrus rankCirrus
    Jul 24, 2015

    Unless the adfs server doesn't care for the user-agent. But I don't think user-agent even comes into play during TLS handshake...