Forum Discussion
mikegray_198028
Cirrus
CirrusServer hello failing
Hello team
we are running 12.x and few of our vips are failing in ssl handshake, but when i enable sslv3 on client ssl profile iam able to connect to vip. on debug log showing "info tmm[19580]: 01260013:6: SSL Handshake failed for TCP"
3 1 0.2906 (0.2906) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
3 0.2906 (0.0000) C>S TCP RST
jaikumar_f5Noctilucent
Hi Mike,
This clearly means the client is coming in old ssl version.when i enable sslv3 on client ssl profile iam able to connect to vipAs you should know already.
clientssl serverssl Client -----------> LTM ---------> ServerSo if your making change on the clientssl to allow sslv3, it means the client was coming in sslv3.
Stanislas_Piro2Cumulonimbus
Can you post here your cipher string?
Can you execute this command on your bigip:
tmm --clientciphers 'put your cipher string here'In the command, the cipher string must be between simple quote...
The check if there is at least one cipher in both client hello packet and bigip clientssl profile
uzairNimbostratus
Can you please paste the client profile. Also please enable the RST reason and paste the reset reason .