Forum Discussion
NimbostratusNODE LISTENING ON 8443 DOWN WITH SSL HEALTH MONITOR
So I have this problem where suddenly, the nodes went down and nothing changed.
Health Monitor:
Send String: GET /health.txt\r\n\r\n
Receive String: OK
Cipher: DEFAULT:+SHA:+3DES:+kEDH
Here is my SSLDUMP output:
New TCP connection 27: 10.3.71.9(57860) <-> 10.3.71.89(8443)
27 1 0.0009 (0.0009) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
Unknown value 0x3a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x34
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
27 2 0.0013 (0.0004) S>CV3.1(2) Alert
level fatal
value handshake_failure
27 0.0013 (0.0000) S>C TCP FIN
New TCP connection 28: 10.3.8.9(57872) <-> 10.3.8.32(8443)
28 0.0017 (0.0017) C>S TCP FIN
0.0020 (0.0002) S>C
---------------------------------------------------------------
15 03 01 00 02 02 28 ......(
---------------------------------------------------------------
Using default options:
openssl s_client -connect 10.3.71.89:8443
CONNECTED(00000003)
17404:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:Using ssl2:
openssl s_client -connect 10.3.71.89:8443 -ssl2
CONNECTED(00000003)
17543:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:Using tls1:
openssl s_client -connect 10.3.71.89:8443 -tls1
CONNECTED(00000003)
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.bla.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgFGjCCBAKgAgwIBAgIQDG0L78P9vCy0DKXDANBggkqhkiG9w0BAQUADBm
....
....
...As you can see, using openssl -tls1, I connect fine. I suspect this is the problem, but I dont know how to change the protocol to force tls1 only in a health monitor. Im using v9 of the LTM.
5 Replies
- nitass
Employee
is it clienthello message format issue or ssl protocol version issue? i understand version 3.1 is tls 1.0.
for message format, it is changed from sslv2 formatted clienthello message to tlsv1/sslv3 clienthello message in 11.0.0 according to ID222483.
ID222483 - [RFE] Add way to force bigd to send TLSv1/SSLv3 Client Hello instead of SSLv2
if it is message format issue and upgrade is not possible, you may have to use external monitor.
mgamez_60648Hi nitass, this is an older version of f5, its v9.4 so that ID wouldn't apply, any other suggestions?
- nitassyou can use external health monitor, can't you? HTTPS - Monitor SSL Handshake https://devcentral.f5.com/s/articles/https-monitor-ssl-handshake
- SynACk_128568
Cirrostratus
hi mgamez ,
I think that server disabled sslv2 and sslv3 and after that you are seeing pool members down .
Please confirm .
Thanks and Regards Ankit
SHIHABUDDIN_312I am facing same issue (openssl s_client -connect 10.3.71.89:8443 CONNECTED(00000003) 17404:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:) do you found a resolution ?
