Forum Discussion

Vikky_193911

Altostratus

Nov 11, 2018

Pleasing the client with CIPHER?

Dear DevCentral people, Can't find the proper CIPHER for clients connecting via TLS1.1 and TLS1.0 to prevent numerous handshake_failure on VS:443. I can't control clients, they are plain web browse...

application delivery

LTM

Vikky_193911

Altostratus

Nov 12, 2018

Below is ssldump from BIG-IP; client offers TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and there is the very same Cipher in DEFAULT and yet it is handshake_failure all the way.

New TCP connection 559: CLIENT_3(42790) <-> LB_VS(443)
559 1  0.0477 (0.0477)  C>S  Handshake
      ClientHello
        Version 3.1 
        cipher suites
          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          TLS_RSA_WITH_AES_256_CBC_SHA
          TLS_RSA_WITH_AES_128_CBC_SHA
          TLS_RSA_WITH_3DES_EDE_CBC_SHA
          TLS_FALLBACK_SCSV
        compression methods
                  NULL
        extensions
          renegotiation_info
          server_name
          extended_master_secret
          SessionTicket
          status_request
          Unknown extension (0x3374)
          signed_certificate_timestamp
          application_layer_protocol_negotiation
          Unknown extension (0x7550)
          ec_point_formats
          supported_groups
559 2  0.0477 (0.0000)  S>C  Alert
    level           fatal
    value           handshake_failure
559    0.0477 (0.0000)  S>C  TCP FIN
559    0.0480 (0.0003)  C>S  TCP RST

 tmm --serverciphers 'DEFAULT' | grep ECDHE-ECDSA-AES256-SHA
34: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
35: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
36: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
37: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Pleasing the client with CIPHER?

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 BIG IP laboratory license

F5 mssql health monitor failing

How can I get started with iCall

Connection Rest f5

Related Content

Cipher Suite Practices and Pitfalls

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1

LTM Cipher rule

Disable below cipher

Disabling Weak Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS