mgamez_60648
Mar 14, 2015Nimbostratus
NODE LISTENING ON 8443 DOWN WITH SSL HEALTH MONITOR
So I have this problem where suddenly, the nodes went down and nothing changed.
Health Monitor:
Send String: GET /health.txt\r\n\r\n
Receive String: OK
Cipher: DEFAULT:+SHA:+3DES:+kEDH
Here is my SSLDUMP output:
New TCP connection 27: 10.3.71.9(57860) <-> 10.3.71.89(8443)
27 1 0.0009 (0.0009) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
Unknown value 0x3a
Unknown value 0x39
Unknown value 0x38
Unknown value 0x35
Unknown value 0x34
Unknown value 0x33
Unknown value 0x32
Unknown value 0x2f
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
27 2 0.0013 (0.0004) S>CV3.1(2) Alert
level fatal
value handshake_failure
27 0.0013 (0.0000) S>C TCP FIN
New TCP connection 28: 10.3.8.9(57872) <-> 10.3.8.32(8443)
28 0.0017 (0.0017) C>S TCP FIN
0.0020 (0.0002) S>C
---------------------------------------------------------------
15 03 01 00 02 02 28 ......(
---------------------------------------------------------------
Using default options:
openssl s_client -connect 10.3.71.89:8443
CONNECTED(00000003)
17404:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:
Using ssl2:
openssl s_client -connect 10.3.71.89:8443 -ssl2
CONNECTED(00000003)
17543:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Using tls1:
openssl s_client -connect 10.3.71.89:8443 -tls1
CONNECTED(00000003)
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.bla.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIgFGjCCBAKgAgwIBAgIQDG0L78P9vCy0DKXDANBggkqhkiG9w0BAQUADBm
....
....
...
As you can see, using openssl -tls1, I connect fine. I suspect this is the problem, but I dont know how to change the protocol to force tls1 only in a health monitor. Im using v9 of the LTM.