Forum Discussion

Cirrus

Sep 30, 2015

serverssl behavior in 11.4.x

We ran into an issue that the SSL handshake on the serverside fails after updating the certificate on the server. Nothing changed on the LB. I'm aware of the serverssl profile behavior change in rega...

Employee

Sep 30, 2015

What is different about the new server certificate? ECDSA vs RSA? It almost sounds like your server is requiring an unsupported cipher suite when using TLS1.2 and can happily negotiate something supported if using a lower protocol. I'd highly recommend doing an SSLDUMP capture on the server side to see what's happening.

ssldump -AdNn -i [0.0 or internal VLAN name] port 443 [and any other display filters]

You're looking for when the error is thrown and what was sent immediately prior. For example, if the server sends an alert immediately after the F5's ClientHello, then you can suspect the client didn't present a protocol and cipher suite combination that the server would accept. What then changes when you disable TLS1.2?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

serverssl behavior in 11.4.x

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

iRules variables in BIG-IP Next: behavior change

Behavior of outbound DNS query from LTM behavior

Activate serverssl profile in iRule

behavior of SSL::disable serverside

AI Safety: Navigating Deception, Emergent Goals, and Power-seeking Behaviors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS