Forum Discussion

Mizzouri's avatar
Mizzouri
Icon for Altostratus rankAltostratus
Jan 29, 2020

Need help passing the cert to the pool member when using client/server ssl profiles

Our application developers are launching Mirth and I've setup a Standard VIP listening on 443, http profile, with client/server ssl profile and an iRule (uri based). The server cert portion is working just fine, but was informed yesterday that they needed the client cert to be passed along to the pool members. After doing some reading, I set both profiles to Proxy SSL. Once I set that, they immediately saw SSL handshake failures. From a SSLDUMP I am seeing the following:

 

 # ssldump -r /var/tmp/proxycap.pcap

New TCP connection #1: 10.144.22.176(53294) <-> 10.144.20.176(443)

1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello

 Version 3.3

 cipher suites

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 

 TLS_RSA_WITH_AES_256_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 

 SSL2_CK_3DES 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_RSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_RSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_DES 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_AES_128_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_RC4 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_RSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_RSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 

 TLS_EMPTY_RENEGOTIATION_INFO_SCSV 

 Unknown value 0xa7 

 Unknown value 0xa6 

 TLS_DH_anon_WITH_AES_256_CBC_SHA256 

 Unknown value 0xc019 

 TLS_DH_anon_WITH_AES_256_CBC_SHA 

 TLS_DH_anon_WITH_AES_128_CBC_SHA256 

 Unknown value 0xc018 

 TLS_DH_anon_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_DES_CBC_SHA 

 SSL2_CK_DES 

 TLS_DHE_RSA_WITH_DES_CBC_SHA 

 TLS_DHE_DSS_WITH_DES_CBC_SHA 

 TLS_DH_anon_WITH_DES_CBC_SHA 

 TLS_RSA_WITH_NULL_SHA256 

 Unknown value 0xc006 

 SSL2_CK_RC2_EXPORT40 

 Unknown value 0xc010 

 TLS_RSA_WITH_NULL_SHA 

 Unknown value 0xc001 

 Unknown value 0xc00b 

 Unknown value 0xc015 

 TLS_RSA_WITH_NULL_MD5 

 Unknown value 0x1e 

 Unknown value 0x22 

1 2 0.0063 (0.0055) S>C Alert

   level          fatal

   value          handshake_failure

1   0.0064 (0.0000) S>C TCP RST

 

The F5 is a 1600 running 12.1.2 code. let me know if I am overlooking something or there is a better way to perform this for the app team. Thanks.

application delivery
BIG-IP
LTM
  • Mizzouri's avatar
    Mizzouri
    Icon for Altostratus rankAltostratus
    Jan 29, 2020

    Silly question, what is the latest version of software the 1600 series will support? Thanks again for your quick response!

  • Mizzouri's avatar
    Mizzouri
    Icon for Altostratus rankAltostratus
    Feb 05, 2020

    Alright, back again. We had a 4200 unit lying around which was recently reclaimed from another location. I've wiped it clean and upgraded the software to BIG-IP 15.1.0 Build 0.0.31 Final. I've duplicated the VIP setup from lat time and appending in the C3D pieces to the client/server ssl profiles. I seem to be stuck at the client cert handshake:

     

    New TCP connection #3: 10.93.169.32(57353) <-> 10.144.20.10(443)

    3 1 0.0515 (0.0515) C>S Handshake

         ClientHello

           Version 3.1

           cipher suites

             TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

             TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

             TLS_RSA_WITH_AES_256_CBC_SHA

             TLS_RSA_WITH_AES_128_CBC_SHA

             TLS_RSA_WITH_3DES_EDE_CBC_SHA

           compression methods

                     NULL

           extensions

             server_name

             status_request

             supported_groups

             ec_point_formats

             SessionTicket

             extended_master_secret

             Unknown extension (0x18)

             renegotiation_info

    3 2 0.0526 (0.0010) S>C Handshake

         ServerHello

           Version 3.1

           session_id[32]=

             cf e2 d9 64 73 36 1d d9 56 ca c2 8c 7b 9e 65 82

             b8 b5 15 06 e3 01 d1 9a 1a 6c 08 82 8b 6e f5 d0

           cipherSuite        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

           compressionMethod                  NULL

           extensions

             renegotiation_info

             ec_point_formats

             extended_master_secret

    3 3 0.0526 (0.0000) S>C Handshake

         Certificate

    3 4 0.0526 (0.0000) S>C Handshake

         ServerKeyExchange

    3 5 0.0526 (0.0000) S>C Handshake

         CertificateRequest

           certificate_types                  rsa_sign

           certificate_types                  dss_sign

           certificate_types                  ecdsa_sign

    3 6 0.0526 (0.0000) S>C Handshake

         ServerHelloDone

    3 7 0.1059 (0.0533) C>S Handshake

         Certificate

         ClientKeyExchange

         CertificateVerify

    3 8 0.1059 (0.0000) C>S ChangeCipherSpec

    3 9 0.1059 (0.0000) C>S Handshake

    3 10 0.1063 (0.0003) S>C Alert

       level          fatal

       value          handshake_failure

    3   0.1063 (0.0000) S>C TCP FIN

    3   0.1342 (0.0279) C>S TCP FIN

    New TCP connection #4: 10.93.169.32(57354) <-> 10.144.20.10(443)

    4   0.0203 (0.0203) C>S TCP FIN

    4   0.0203 (0.0000) S>C TCP FIN

    (cfg-sync Standalone)(Active)(/Common)(tmos)#

     

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      Feb 06, 2020

      You probably need to capture both the client and server-side handshakes at the same time.

      You may be getting a server-side authentication failure when the forged certificate is passed to the pool member.