Forum Discussion
LyonsG_85618
Cirrostratus
CirrostratusServerSSL profile issues after upgrade to v11.4.1
Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve.
Basically one of my ServerSSL profiles is failing after upgrade.
If I remove the prof...
LyonsG_85618Cirrostratus
CirrostratusIf i use DEFAULT:!TLSv1_1:!TLSv1_2 I can't see RC4-MD5 ciphers:
tmm --clientciphers 'DEFAULT:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
2: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
3: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
And still get error in log:
SSL Handshake failed for TCP from 172.31.81.95:65417 to 172.31.100.195:443
If use 'MEDIUM:!TLSv1_1:!TLSv1_2'
tmm --clientciphers 'MEDIUM:!TLSv1_1:!TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA
1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA
2: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
3: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
7: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA
8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
I can see RC4-MD5 ciphers but get the following in the log:
Jun 10 09:44:48 bipscint2 notice tmm2[13424]: 01260018:5: Connection attempt to insecure SSL server (see RFC5746): 172.31.100.195:443
Jun 10 09:44:48 bipscint2 info tmm2[13424]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:65533 to 172.31.100.195:443
Cory_50405Noctilucent
If you use cipher string MEDIUM:!TLSv1_1:!TLSV1_2, and set secure renegotiation to 'request', does it work?- LyonsG_85618no Cory. Still get same error SL Handshake failed for TCP from 172.31.81.95:49844 to 172.31.100.195:443
- Cory_50405Just for the sake of proving it'll work, change the cipher string to ALL and see if that works. If it goes, grab an ssldump and see what ciphers the server supports.
- LyonsG_85618Tried that and get same error:.. Connection attempt to insecure SSL server (see RFC5746): 172.31.100.195:443 SSL Handshake failed for TCP from 172.31.81.95:51593 to 172.31.100.195:443
- Cory_50405Can you try applying the 'serverssl-insecure-compatible' SSL server profile to your virtual server and see if that works?
- LyonsG_85618Cory - thanks. I have tried that too and still get same issue.
- Cory_50405Does it work if you perform a curl on the webpage? curl -k https://172.31.100.195
- LyonsG_85618Yes - curl, opensll etc all work ~ curl -k https://172.31.100.195 403 Forbidden Forbidden
You don't have permission to access / on this server.
- Cory_50405I'm about out of ideas. Has support been of any help?
- LyonsG_85618Cory - I know that feeling! Still awiting support feedback....will posy up fix when i get it! Thanks for your help!
