For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hassan_Hireche1's avatar
Hassan_Hireche1
Icon for Nimbostratus rankNimbostratus
Sep 13, 2013

Open SSL error on ltm logs since v11 upgrade

Hello,

 

We upgraded our viprion 4802 from 10.2.4 to 11.2.1. Since this upgrade, we see ltm logs concerning Open SSL error every 5 seconds:

 

Sep 13 04:02:14 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. Sep 13 04:02:14 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:14 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:14 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:16 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:17 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:17 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:17 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:18 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:19 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. Sep 13 04:02:19 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:19 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:19 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:21 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:22 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:22 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:22 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Sep 13 04:02:23 slot1/A-EB2-BIGIP-DMZ-BCK err bigd[10121]: 01060111:3: Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

 

Did anyone ever faced of this problem ?

 

Regards,

 

Hassan Hireche

 

design
management

13 Replies

Show More
  • adam88's avatar
    adam88
    Icon for Cirrus rankCirrus
    Dec 15, 2018

    We had the same problem at my office and it turns out that it was a Cipher issue with the HTTPS monitor. As part of web server hardening, everything but TLS1.2 was disabled on the web servers. The HTTPS monitor did have "DEFAULT:+SHA:+3DES:+kEDH" in the ciphers list and the 'DEFAULT' group does also include TLSv1.2 cipher suites but somehow this was causing problems.

     

    I changed the cipher list to TLSv1_2+AES and this immediately fixed the problem - though it did create other problems as I did have a pool where some servers were hardened while others weren't. Adding this cipher suites caused the pool members pointing to the unhardened servers to go down.

     

    In the end I couldn't find a compromise so I just put it to "tcp". Not the best solution but I need to get the server and application guys to fix it on the servers.