For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Jun 09, 2014

ServerSSL profile issues after upgrade to v11.4.1

Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve.

Basically one of my ServerSSL profiles is failing after upgrade.

If I remove the profile everything works as expected.

The profile before change looks like this:

profile serverssl PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {

defaults from serverssl

ca file "ISOSEM.crt"

ciphers "HIGH:MEDIUM:!SSLv2:!ADH"

options dont insert empty fragments

renegotiate enable

renegotiate period indefinite

renegotiate size indefinite

peer cert mode require authenticate once

authenticate depth 9

authenticate name "hci3syst01.internal.company.com"

unclean shutdown enable

handshake timeout 60

alert timeout 60

cache size 20000

cache timeout 300

The profile after change looks like this:

ltm profile server-ssl /SOA/PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {

alert-timeout 60

app-service none

authenticate once

authenticate-depth 9

authenticate-name hci3syst01.internal.company.com

ca-file /Common/ISOSEM.crt

cache-size 20000

cache-timeout 300

ciphers DEFAULT:!TLSv1_1:!TLSv1_2

defaults-from /Common/serverssl

handshake-timeout 60

options { dont-insert-empty-fragments }

peer-cert-mode require

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation require

unclean-shutdown enabled

I had to change the ciphers as I was seeing following errors in log when trying to connect:

Jun 9 10:14:44 bipscint2 warning tmm[13423]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.31.100.195:443

Jun 9 10:14:44 bipscint2 info tmm[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62326 to 172.31.100.195:443

After changing ciphers I am now just getting:

Jun 9 10:12:40 bipscint2 info tmm1[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62163 to 172.31.100.195:443

I also changed the secure-renegotiation to require-strict to request (as I have seen issues with this)

I have tried numerous Cipher settings and none have been successful.

When I run a SSLDump I get the following: 

New TCP connection 1: 172.31.81.95(62005) <-> server.internal.company.com(443)  
1 1  0.0013 (0.0013)  C>S  Handshake  
      ClientHello  
        Version 3.1   
        cipher suites  
        TLS_RSA_WITH_RC4_128_SHA  
        TLS_RSA_WITH_AES_128_CBC_SHA  
        TLS_RSA_WITH_AES_256_CBC_SHA  
        TLS_RSA_WITH_3DES_EDE_CBC_SHA  
        Unknown value 0xc013  
        Unknown value 0xc014  
        Unknown value 0xc012  
        Unknown value 0xff  
        compression methods  
                  NULL  
1 2  0.0027 (0.0014)  S>C  Alert  
    level           fatal  
    value           handshake_failure  
1    0.0031 (0.0003)  S>C  TCP FIN

10.0032 (0.0001) C>S TCP RST

I know it looks like it’s server problem but this did work on version 10.2.4

Cipher combinations I have tried (in no particular order)

DEFAULT:!TLSv1_1:!TLSv1_2:TLSv1

RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1

RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2

TLSv1

TLSv1:DEFAULT

HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2

HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2

RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1

RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2

TLSv1

The server is only configured to allow RC4-MD5 ciphers.

However even putting this in still generates same error message

Any ideas?

application delivery
devops
iRules

29 Replies

Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 11, 2014

    have you tried ciphers ALL? try ssldump again and see whether server still resets.

     

    • LyonsG_85618's avatar
      LyonsG_85618
      Icon for Cirrostratus rankCirrostratus
      Jun 11, 2014
      Hi Nitass Cipher settings set to ALL. SSL Dump 2 0.0026 (0.0015) S>C Handshake ServerHello Version 3.1 session_id[32]= 00 02 20 ec ab 11 f5 3c 34 9d 30 d5 01 47 9d 0e 14 7b ac c0 58 58 58 58 53 98 1e 3a 00 01 a6 8b cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL Certificate ServerHelloDone 2 0.0028 (0.0002) C>S TCP RST
    • LyonsG_85618's avatar
      LyonsG_85618
      Icon for Cirrostratus rankCirrostratus
      Jun 11, 2014
      Still have not heard back from support either. Will chase them up and advise them of this thread! Thanks for your help
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Jun 11, 2014

    2 0.0028 (0.0002) C>S TCP RST

     

    but this time bigip is the one who reset, isn't it?

     

    have you tried to set peer-cert-mode to ignore in serverssl profile?

     

    • LyonsG_85618's avatar
      LyonsG_85618
      Icon for Cirrostratus rankCirrostratus
      Jun 11, 2014
      Nitass - thanks. That is now working. I still need to understand why we need to change all ciphers and Server Certificate=request/ignore. But I guess that will be easier fro support to identify now. Thanks to everyone for their assistance! As usual DevCentral rocks!
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 11, 2014

    2 0.0028 (0.0002) C>S TCP RST

     

    but this time bigip is the one who reset, isn't it?

     

    have you tried to set peer-cert-mode to ignore in serverssl profile?

     

    • LyonsG_85618's avatar
      LyonsG_85618
      Icon for Cirrostratus rankCirrostratus
      Jun 11, 2014
      Nitass - thanks. That is now working. I still need to understand why we need to change all ciphers and Server Certificate=request/ignore. But I guess that will be easier fro support to identify now. Thanks to everyone for their assistance! As usual DevCentral rocks!