For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

abi1980_184094's avatar
abi1980_184094
Icon for Nimbostratus rankNimbostratus
Oct 25, 2015

server hangup error

Hi   Trying to new my SSL cert for ADFS webproxy with SHA2 when i install the cert i am getting server hangup error   bypassing the F5 it works fine   can anyone help  
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 25, 2015

It's very likely that the webproxy is not accepting some attribute (or lack of) of the BIG-IP's SSL ClientHello. Here's what I'd do to troubleshoot:

  1. Perform and SSLdump on the server side VLAN to see where/when the error happens:

    ssldump -AdNn -i [server side VLAN name] port 443 [and any additional filters]

    If you see the server send a reset directly after the ClientHello, then you can assume the server is not able to comply with the BIG-IP's SSL options, or that the BIG-IP is missing an option that the server requires.

  2. Assuming the issue is within the SSL handshake, which you'll determine in the first step above, no try to connect to the server directly with the openssl s_client command:

    openssl s_client -connect [IP of server]

    If that fails then you can be almost certain that the server is requiring something that it didn't before. Try adding an SNI (server name indication) attribute:

    openssl s_client -connect [IP of server] -servername 'server1.domain.com'

    If that works, then the server is requiring SNI, something that I've personally seen as a requirement in other ADFS environments. You can add a server name value to the BIG-IP server SSL profile and that should get it to work.