Forum Discussion

Stefan_Klotz_85's avatar
Stefan_Klotz_85
Icon for Cirrus rankCirrus
Sep 30, 2015

serverssl behavior in 11.4.x

We ran into an issue that the SSL handshake on the serverside fails after updating the certificate on the server. Nothing changed on the LB. I'm aware of the serverssl profile behavior change in rega...
application delivery
deployment
LTM
serverssl
TMOS
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 01, 2015

The resume field just means the client is attempting to resume a previous session, so you're not technically looking at an initial SSL handshake. Also notice that your client is presenting a bunch of elliptic curve ciphers with TLS1.2 that it doesn't for TLS1.1 and below. It's hard to say exactly what the issue is since the server is the one throwing the error, but since it's happening immediately after the clienthello, it's a good bet the server doesn't like some cipher or extension that the client is sending.

There's a few ways to troubleshoot this. First, here's a really cool Bash script you can point at your server to see what ciphers and protocols it actually supports:

http://www.tuxad.de/scripts/ssltest.sh

That may immediately show you the problem. Otherwise you can start testing different protocol and cipher options with the openssl s_client command. 

openssl s_client -connect 192.168.10.10:443

There's a "-cipher" option to this command that allows you to tweak the ciphers that you send, so for example:

openssl s_client -connect 192.168.10.10:443 -cipher 'ECDHE-RSA-AES128-SHA'

You can then run through all of the ciphers that you saw in the ClientHello of the failed request, or the ciphers listed in the Bash script.