Forum Discussion
CirrostratusServerSSL profile issues after upgrade to v11.4.1
Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve.
Basically one of my ServerSSL profiles is failing after upgrade.
If I remove the profile everything works as expected.
The profile before change looks like this:
profile serverssl PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {
defaults from serverssl ca file "ISOSEM.crt" ciphers "HIGH:MEDIUM:!SSLv2:!ADH" options dont insert empty fragments renegotiate enable renegotiate period indefinite renegotiate size indefinite peer cert mode require authenticate once authenticate depth 9 authenticate name "hci3syst01.internal.company.com" unclean shutdown enable handshake timeout 60 alert timeout 60 cache size 20000 cache timeout 300The profile after change looks like this:
ltm profile server-ssl /SOA/PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL { alert-timeout 60 app-service none authenticate once authenticate-depth 9 authenticate-name hci3syst01.internal.company.com ca-file /Common/ISOSEM.crt cache-size 20000 cache-timeout 300 ciphers DEFAULT:!TLSv1_1:!TLSv1_2 defaults-from /Common/serverssl handshake-timeout 60 options { dont-insert-empty-fragments } peer-cert-mode require renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require unclean-shutdown enabledI had to change the ciphers as I was seeing following errors in log when trying to connect:
Jun 9 10:14:44 bipscint2 warning tmm[13423]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.31.100.195:443 Jun 9 10:14:44 bipscint2 info tmm[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62326 to 172.31.100.195:443After changing ciphers I am now just getting:
Jun 9 10:12:40 bipscint2 info tmm1[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62163 to 172.31.100.195:443I also changed the secure-renegotiation to require-strict to request (as I have seen issues with this)
I have tried numerous Cipher settings and none have been successful.
When I run a SSLDump I get the following:
New TCP connection 1: 172.31.81.95(62005) <-> server.internal.company.com(443)
1 1 0.0013 (0.0013) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc012
Unknown value 0xff
compression methods
NULL
1 2 0.0027 (0.0014) S>C Alert
level fatal
value handshake_failure
1 0.0031 (0.0003) S>C TCP FIN
10.0032 (0.0001) C>S TCP RST
I know it looks like it’s server problem but this did work on version 10.2.4
Cipher combinations I have tried (in no particular order)
DEFAULT:!TLSv1_1:!TLSv1_2:TLSv1
RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1 RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2 TLSv1 TLSv1:DEFAULT HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2 HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2 RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1 RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2 TLSv1The server is only configured to allow RC4-MD5 ciphers.
However even putting this in still generates same error messageAny ideas?
29 Replies
JGCumulonimbus
Seems to be a known issue. See:
https://devcentral.f5.com/questions/issues-with-exchange-2013-iapp-on-1141answer96617
https://devcentral.f5.com/questions/ssl-handshake-errors
LyonsG_85618I did see https://devcentral.f5.com/questions/ssl-handshake-errors and thats where I got the new Cipher Strings etc. However my problem still persists. I have raised a ticket with F5 but thought it woudl be worth posting into DevCentral too.
mickey0141_1330Nimbostratus
I had a similar issue when upgrading from 10.2.1 to 11.4.1. I also had to reconfigure the SSL renegotation settings due to the RFC5746 issue. From the F5 try opening a test SSL session to the server: openssl s_client -connect 123.123.123.123:443 and then note the cipher in use on the remote device.
SSL-Session: Protocol: TLSv?? Cipher: ????
Have a look at the difference in protocols in the cipher suites between the versions:
Version 10:
http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html
Version 11:
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
The solution for my problem was to disable TLSv1.1 and TLSv1.2 in the options section of the profile:
Enabled Options: No TLSv1.1 No TLSv1.2
I hope this helps.
- LyonsG_85618
Thanks Mickey. I did try the No TLSv1.1 and no TLSv1.2 in the cipher settings and using the enable options on the profile.
Using OpenSSL it says servers uses RC4-MD5 and TLSv1...however still cant get ServerSSL profile to work. :(
Cory_50405Noctilucent
Is there an error displayed in the client's browser?
We encountered the issue when upgrading from v11.2 to v11.4.1, pertaining to SSL/TLS ciphers. The client's browser said something about enabling TLS, and changing the server SSL profile cipher string to 'DEFAULT:!TLSv1_1:!TLSv1_2' was our fix.
If SSL renegotiation is your issue, then in /var/log/ltm you should see a message indicating that.
- LyonsG_85618
Cory - no error in browser i'm afraid. I tried changing SSL ciphers to 'DEFAULT:!TLSv1_1:!TLSv1_2' but that made no difference.
SSL renegotitation is enabled and chnaged from 'require/strict' to 'request' but that didnt work either.
The only error in log is:
SSL Handshake failed for TCP from 172.31.81.95:62163 to 172.31.100.195:443 - LyonsG_85618
If i use DEFAULT:!TLSv1_1:!TLSv1_2 I can't see RC4-MD5 ciphers:
tmm --clientciphers 'DEFAULT:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
2: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
3: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSAAnd still get error in log:
SSL Handshake failed for TCP from 172.31.81.95:65417 to 172.31.100.195:443If use 'MEDIUM:!TLSv1_1:!TLSv1_2'
tmm --clientciphers 'MEDIUM:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA
1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA
2: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
3: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
7: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA
8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSAI can see RC4-MD5 ciphers but get the following in the log:
Jun 10 09:44:48 bipscint2 notice tmm2[13424]: 01260018:5: Connection attempt to insecure SSL server (see RFC5746): 172.31.100.195:443
Jun 10 09:44:48 bipscint2 info tmm2[13424]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:65533 to 172.31.100.195:443- Cory_50405If you use cipher string MEDIUM:!TLSv1_1:!TLSV1_2, and set secure renegotiation to 'request', does it work?
- LyonsG_85618no Cory. Still get same error SL Handshake failed for TCP from 172.31.81.95:49844 to 172.31.100.195:443
- Cory_50405Just for the sake of proving it'll work, change the cipher string to ALL and see if that works. If it goes, grab an ssldump and see what ciphers the server supports.
- LyonsG_85618
Also th eoutput from OpenSSL openssl s_client -cipher 'DEFAULT' -connect 172.31.100.195:443
CONNECTED(00000003)
depth=0 /C=GB/postalCode= /ST=/L=/O=Company/OU=IS/CN=syst01.internal.comapny.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=GB/postalCode=/ST=/L=/O=The Standard Life Assurance Company/OU=IS/CN=syst01.internal.comapny.comverify return:1
Certificate chain
0 s:/C=GB/postalCode= /ST=/L=/O=Company/OU=IS/CN=syst01.internal.company.com
/C=GB/postalCode= /ST=/L=/O=Company/OU=IS/CN=syst01.internal.company.comServer certificate
-----BEGIN CERTIFICATE-----
MIIC0TCCAjqgAwIBAgIERAwBCTANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMC
R0IxEDAOBgNVBBETB0VIMyA1SE4xETAPBgNVBAgTCFNjb3RsYW5kMRIwEAYDVQQH
EwlFZGluYnVyZ2gxLDAqBgNVBAoTI1RoZSBTdGFuZGFyZCBMaWZlIEFzc3VyYW5j
ZSBDb21wYW55MQswCQYDVQQLEwJJUzEpMCcGA1UEAxMgc3lzdDAxLmludGVybmFs
LnN0YW5kYXJkbGlmZS5jb20wHhcNMDYwMzA1MDkyOTQ1WhcNMTYwMzAzMDkyOTQ1
WjCBrDELMAkGA1UEBhMCR0IxEDAOBgNVBBETB0VIMyA1SE4xETAPBgNVBAgTCFNj
-----END CERTIFICATE-----subject=/C=GB/postalCode=/ST=/L=/O=Company/OU=IS/CN=syst01.internal.comapny.com
issuer=/C=GB/postalCode=/ST=/L=/O=Company/OU=IS/CN=syst01.internal.comapny.com No client certificate CA names sent SSL handshake has read 861 bytes and written 321 bytesNew, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 001240D4FF3E1B3A8167B4A79FD72FE6EE7
Session-ID-ctx:
Master-Key: ED6C95733E32C3EAB5F28DC6D9041E6CF4927
Key-Arg : None
Start Time: 1402397802
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)Apologies for UPPERCASE/BOLD
- LyonsG_85618
I also get error using following:
openssl s_client -cipher 'DEFAULT:!TLSv1_1:!TLSv1_2' -connect 172.31.100.195:443
error setting cipher list
4839:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:839:
4839:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:839: 
nitass_89166have you tried ciphers ALL? try ssldump again and see whether server still resets.
- LyonsG_85618Hi Nitass Cipher settings set to ALL. SSL Dump 2 0.0026 (0.0015) S>C Handshake ServerHello Version 3.1 session_id[32]= 00 02 20 ec ab 11 f5 3c 34 9d 30 d5 01 47 9d 0e 14 7b ac c0 58 58 58 58 53 98 1e 3a 00 01 a6 8b cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL Certificate ServerHelloDone 2 0.0028 (0.0002) C>S TCP RST
- LyonsG_85618Still have not heard back from support either. Will chase them up and advise them of this thread! Thanks for your help
