Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Feb 10, 2015

RSA Self Service iRule no longer works

I upgraded from 11.2 to 11.6 and the RSA secureID selfservice page that was working is no longer working. I have an irule that we are using   Code when HTTP_REQUEST { if { [HTTP::header host] eq "...
rsa
self service
dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus

F5 support really rocked this.

 

It turns out, after looking at the packet capture, that the server was receiving an "invalid parameter" in SSL negotiation.

 

We were using the "default" serverssl profile, which also uses the default ciphers. After connecting to the server using openssl we could see that the cipher was using RC4-SHA. If you use the "tmm --serverciphers 'DEFAULT'" command on the F5 you can see what ciphers are in the "default". And with 11.6 they removed RC4-SHA. To fix it, temporarily, I just added :RC4-SHA to the cipher list so it now looks like:

 

DEFAULT:RC4-SHA

 

and it works. I think a more permanent fix is to update SSL on the server itself. But this fixed it.

 

shaggy's avatar
shaggy
Icon for Nimbostratus rankNimbostratus
Feb 10, 2015
nice find - SSL cipher suites often change between F5 releases. i highly recommend not altering the F5 default profiles - create your own based on the F5 default and make your tweaks there. changing defaults can cause migration/upgrade/support headaches