For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 23, 2020

pool member sending Alert (Level: Fatal, Description: Unknown Certificate [46]) for a new SSL Cert of a VS

Current wildcard cert (2048 bit key size) about to expired used for SSL offloading on HTTPS VS. New cert (4096 bit key size) was applied to the that VS and application breaks.   VS server also ha...
masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 23, 2020

Thanks for you time and effort to help me out. Current wildcard is expiring this Sunday. So, it's a bit of crisis.

 

Disabling Generic Alert in client SSL profile did not add much detail. Both cases I see only handshake error message between pool member and VS. Nothing much besides this error.

 

I had tail -f /var/log/ltm running

 

 

Jul 23 06:32:49 Ottciof5101 warning tmm1[21959]: 01260013:4: SSL Handshake failed for TCP 10.5.15.120:62226 -> 10.5.29.11:443

 

Jul 23 06:38:11 Ottciof5101 warning tmm1[21959]: 01260013:4: SSL Handshake failed for TCP 10.5.15.120:62242 -> 10.5.29.11:443

 

This being a wildcard cert it was used on multiple client SSL profile. I created a custom parent SSL profile pointed the new cert there. And all old SSL profiles were extended from that custom parent instead of factory default

 

(/Common)(tmos)

 

ltm profile client-ssl clientssl_Wildcard_COMPANY {

  app-service none

  cert-key-chain {

    Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {

      cert Wildcard_COMPANY_2020.com

      chain Entrust_Chain_Bundle_Dec_2030

      key Wildcard_COMPANY_2020.com

    }

  }

  defaults-from clientssl

  inherit-ca-certkeychain true

  inherit-certkeychain false

}

 

(cfg-sync In Sync)(Active)(/HR)(tmos)#

 

 

ltm profile client-ssl HR-Accero-SNI_cfmws.com-SHA2 {

  app-service none

  cert-key-chain {

    Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {

      cert /Common/Wildcard_COMPANY_2020.com

      chain /Common/Entrust_Chain_Bundle_Dec_2030

      key /Common/Wildcard_COMPANY_2020.com

    }

  }

  defaults-from /Common/clientssl_Wildcard_COMPANY

  generic-alert disabled

  inherit-ca-certkeychain true

  inherit-certkeychain true

  server-name *.abc.com

  sni-default true

}

ltm profile client-ssl HR-Accero-SNI_cfpsa.com_SHA2 {

  app-service none

  cert-key-chain {

    Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {

      cert /Common/Wildcard_COMPANY_2020.com

      chain /Common/Entrust_Chain_Bundle_Dec_2030

      key /Common/Wildcard_COMPANY_2020.com

    }

  }

  defaults-from /Common/clientssl_Wildcard_COMPANY

  generic-alert disabled

  inherit-ca-certkeychain true

  inherit-certkeychain true

  server-name *.xyz.com

}