For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
May 31, 2016

Proxy SSL

Hi, I've been trying to make proxy ssl feature work since a long time but unfortunately no luck. I am still in learning mode on F5 products. I have clients which would require updates from one microsoft server and server would authenticate the clients based on client certificate. I have the right server certificate and we have modified the server ciphers as -

 

33: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 34: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 37: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 38: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 40: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 41: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 42: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

 

I am not sure why its not working, after the client ssl hello, i get a TCP-RST :(

 

Can someone help, what needs to be check?

 

application delivery
BIG-IP

7 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    May 31, 2016

    Nuruddin, do you have a client and server SSL configured on the VIP, both with proxy SSL enabled?

     

    You may be best running ssldump to see what's happening.

     

    N

     

  • Nuruddin_Ahmed_'s avatar
    Nuruddin_Ahmed_
    Icon for Cirrostratus rankCirrostratus
    Jun 01, 2016

    New TCP connection 39: 10.10.10.10(50993) <-> 10.9.9.9(443)

    New TCP connection 40: 10.9.9.8(24459) <-> 10.9.9.7(443)

    39 1 0.0015 (0.0015) C>SV3.1(167) Handshake

      ClientHello
    Version 3.1
    random[32]=
      57 4e 87 82 55 74 e8 19 ef dd 10 a1 b8 6f 3b a4
      af 6c 0b f7 8b 79 17 d3 fb 23 d0 c6 c5 39 80 96
    cipher suites
    Unknown value 0xff
    Unknown value 0xc00a
    Unknown value 0xc014
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Unknown value 0xc00f
    Unknown value 0xc005
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    Unknown value 0xc007
    Unknown value 0xc009
    Unknown value 0xc011
    Unknown value 0xc013
    Unknown value 0x45
    Unknown value 0x44
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Unknown value 0xc00c
    Unknown value 0xc00e
    Unknown value 0xc002
    Unknown value 0xc004
    Unknown value 0x96
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_AES_128_CBC_SHA
    Unknown value 0xc008
    Unknown value 0xc012
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    Unknown value 0xc00d
    Unknown value 0xc003
    Unknown value 0xfeff
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    compression methods
              NULL

    40 1 0.0007 (0.0007) C>SV3.1(167) Handshake

      ClientHello
    Version 3.1
    random[32]=
      57 4e 87 82 55 74 e8 19 ef dd 10 a1 b8 6f 3b a4
      af 6c 0b f7 8b 79 17 d3 fb 23 d0 c6 c5 39 80 96
    cipher suites
    Unknown value 0xff
    Unknown value 0xc00a
    Unknown value 0xc014
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Unknown value 0xc00f
    Unknown value 0xc005
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    Unknown value 0xc007
    Unknown value 0xc009
    Unknown value 0xc011
    Unknown value 0xc013
    Unknown value 0x45
    Unknown value 0x44
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Unknown value 0xc00c
    Unknown value 0xc00e
    Unknown value 0xc002
    Unknown value 0xc004
    Unknown value 0x96
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_RSA_WITH_AES_128_CBC_SHA
    Unknown value 0xc008
    Unknown value 0xc012
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    Unknown value 0xc00d
    Unknown value 0xc003
    Unknown value 0xfeff
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    compression methods
              NULL

    40 2 0.0036 (0.0029) S>CV3.1(3605) Handshake

      ServerHello
    Version 3.1
    random[32]=
      57 4e 87 80 a6 10 2d a8 57 77 93 4b 02 d0 a8 4b
      c6 f4 ca 77 59 b3 9c 16 57 c3 84 d1 1b c4 dd 2f
    session_id[32]=
      af 1e 00 00 b6 6b 3a 8f f7 b7 fd bf fa f0 bf 22
      4a 71 b2 3b 41 49 fa 62 84 e8 aa 90 d7 f7 b0 3e
    cipherSuite         Unknown value 0xc014
    compressionMethod                   NULL
  Certificate
  ServerKeyExchange
  ServerHelloDone

    40 3 0.0037 (0.0000) C>SV3.1(2) Alert

    level           fatal
value           handshake_failure

    39 2 0.0045 (0.0030) S>CV3.1(2) Alert level fatal value handshake_failure

    39 0.0045 (0.0000) S>C TCP RST

    40 0.0037 (0.0000) C>S TCP RST

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Jun 01, 2016
      this does suggest the server doesn't support any of the ciphers the client is suggesting. can you double check your client ssl cipher string setting.
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      Jun 01, 2016
      Hi Nathan, When i am accessing the backend server directly, i am able to open from the same client machine but via F5 its not. I am checking if i can do anything with ciphers. Thanks for the suggesstions, they were really helpful.
  • Nuruddin_Ahmed_'s avatar
    Nuruddin_Ahmed_
    Icon for Cirrostratus rankCirrostratus
    Jun 01, 2016

    Could it be because of cipher suite unknown value -

    40 2 0.0036 (0.0029) S>CV3.1(3605) Handshake

      ServerHello
    Version 3.1
    random[32]=
      57 4e 87 80 a6 10 2d a8 57 77 93 4b 02 d0 a8 4b
      c6 f4 ca 77 59 b3 9c 16 57 c3 84 d1 1b c4 dd 2f
    session_id[32]=
      af 1e 00 00 b6 6b 3a 8f f7 b7 fd bf fa f0 bf 22
      4a 71 b2 3b 41 49 fa 62 84 e8 aa 90 d7 f7 b0 3e
    **cipherSuite         Unknown value 0xc014**
    compressionMethod                   NULL
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      Jun 01, 2016
      also, in client hello, version is 3.0 and server hello is 3.1. could this be problem?
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Jun 01, 2016
      it could be, although i don't see that in the logs above. anyway, if the client is 3.0 then this is the maximum SSL version it supports i.e. SSL v3. if the server responds with 3.1 then this is telling the client it only supports tls 1.0 or above. this will be a problem