For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Sep 30, 2015

serverssl behavior in 11.4.x

We ran into an issue that the SSL handshake on the serverside fails after updating the certificate on the server. Nothing changed on the LB. I'm aware of the serverssl profile behavior change in rega...
application delivery
deployment
LTM
serverssl
TMOS
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 30, 2015

What is different about the new server certificate? ECDSA vs RSA? It almost sounds like your server is requiring an unsupported cipher suite when using TLS1.2 and can happily negotiate something supported if using a lower protocol. I'd highly recommend doing an SSLDUMP capture on the server side to see what's happening.

ssldump -AdNn -i [0.0 or internal VLAN name] port 443 [and any other display filters]

You're looking for when the error is thrown and what was sent immediately prior. For example, if the server sends an alert immediately after the F5's ClientHello, then you can suspect the client didn't present a protocol and cipher suite combination that the server would accept. What then changes when you disable TLS1.2?