Forum Discussion
Lee_Sutcliffe
Nacreous
NacreousPage not available after replacing SSL certificate
Hi,
I've recently updated an SSL certificate, I've done this many times in the past and not had any issues but I'm seeing some odd behaviour now.
We had 4096 bit SSL certs on our LTMs running 10.2.2, however some clients had issues with the size of the key. These were replaced with 2048 bit certs.
I added the new certificate and key to the SSL profile but now I can't view the site. I've ran TCP dump and can see SSL communication between the VIP and my PC but the page hangs and doesn't show any pages.
I've added the same certificate on to the web server directly and I can get to the page fine.
Interestingly, I have tried putting the old certificate back and I now get the same error.
Any help would be greatly appreciated.
Thanks
Lee_SutcliffeI think I've been looking at the wrong part of the ssldump output.I'm not 100% who is C or S.
This is the output from the connection I'm concerned with, but I don't know enough about ssldump to comment on it.
New TCP connection 9: 10.x.x.199(44455) <-> 10.x.x.3(443)
9 1 0.0195 (0.0195) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0xc00a
Unknown value 0xc014
Unknown value 0x88
Unknown value 0x87
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x84
TLS_RSA_WITH_AES_256_CBC_SHA
Unknown value 0xc007
Unknown value 0xc009
Unknown value 0xc011
Unknown value 0xc013
Unknown value 0x45
Unknown value 0x44
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Unknown value 0xc00c
Unknown value 0xc00e
Unknown value 0xc002
Unknown value 0xc004
Unknown value 0x96
Unknown value 0x41
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0xc008
Unknown value 0xc012
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
unknown value
NULL
9 2 0.0196 (0.0000) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
1c 16 d1 cb 2d d0 e6 f0 81 a6 83 53 da 88 a4 2c
19 64 34 24 fe 1c 21 cc 7f b1 b8 10 0b e2 7e fb
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
9 3 0.0196 (0.0000) S>C Handshake
Certificate
9 4 0.0196 (0.0000) S>C Handshake
ServerHelloDone
9 5 0.0947 (0.0751) C>S Handshake
ClientKeyExchange
9 6 0.0947 (0.0000) C>S ChangeCipherSpec
9 7 0.0947 (0.0000) C>S Handshake
Finished
9 8 0.0947 (0.0000) C>S application_data
---------------------------------------------------------------
GET /callreport/ HTTP/1.1
Host: 10.98.255.60
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
---------------------------------------------------------------
9 9 0.0981 (0.0034) S>C ChangeCipherSpec
9 10 0.0981 (0.0000) S>C Handshake
Finished
- nitass
Employee
have you seen tcp connection 10? tcp connection 9 is client-side which is between client and bigip. the tcp connection 10 should be server-side between bigip and pool member. - Lee_Sutcliffeconnection to the pool member is unencrypted, but I can't see this happen in tcpdump.
the next connection in the ssl dump is 11, iquery between LTM and GTM - nitassconnection to the pool member is unencrypted, but I can't see this happen in tcpdump. did you use filter when capturing packet? was the filter really correct? may you try capturing packet without filter or something like this?
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y
x.x.x.x is virtual server ip
y.y.y.y is pool member ip 
HamishCirrocumulus
What do you get from using openssl to connect to the VS?
H