Forum Discussion

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Aug 27, 2022

Proxy SSL unavailable suite (47) issue

Hi,

I'm trying to configure Proxy SSL for our company https website. I have imported required certificate and private key in Trrafic Certificate Management section, also created ssl client and server profiles, assign corresponding certificate and key that i have imported, and checked Proxy SSL on both of these profiles, but when i assign these profiles to VirtualServer, i get following error on my browser (firefox):

 

 

Secure Connection Failed
An error occurred during a connection to www.xyz.com. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

 

 

also i get following messages in /var/log/ltm file

 

 

Aug 27 16:01:55 bigip1 err tmm2[15521]: 01260025:3: Cipher c014:3 negotiated is not supported by Proxy SSL configured in virtual server ...
Aug 27 16:01:55 bigip1 err tmm2[15521]: Connection error: ssl_hs_pxy_scan:14123: unavailable suite (47)
Aug 27 16:01:55 bigip1 warning tmm2[15521]: 01260013:4: SSL Handshake failed for TCP a.a.a.a:443 -> b.b.b.b:60013 (Server -> Self)
Aug 27 16:01:55 bigip1 warning tmm2[15521]: 01260013:4: SSL Handshake failed for TCP c.c.c.c:60013 -> d.d.d.d:443 (Client -> VIP)

 

 

This is the first time I want to do SSL Proxy and I think I misconfigured something in the settings.

Thanks

application delivery
SSL Proxy
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Aug 29, 2022

    Cipher C014 corresponds to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

    ProxySSL only works with non-PFS ciphers (ie. only ciphers with RSA handshakes). ProxySSL cannot be used with DH, DHE, ECC, or any TLS 1.3. 

    Can you elaborate on why you need to use ProxySSL?

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 29, 2022

    Cipher C014 corresponds to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

    ProxySSL only works with non-PFS ciphers (ie. only ciphers with RSA handshakes). ProxySSL cannot be used with DH, DHE, ECC, or any TLS 1.3. 

    Can you elaborate on why you need to use ProxySSL?

  • Mohamed_Salah_'s avatar
    Mohamed_Salah_
    Icon for MVP rankMVP
    Aug 28, 2022

    Hello,

    what software version you are running? as per the below article, "SSL handshakes will fail when the client requests to use the TLS 1.1 or TLS 1.2 protocol through the Proxy SSL-enabled virtual server" this is an old software version, and that's why I'm asking about the current version used.

    KB: https://support.f5.com/csp/article/K14571

    Also, please check the below article for SSL cihpher negotiation and recommendations sections:

    https://support.f5.com/csp/article/K13385

     

    BR,

    MSalah