Forum Discussion

sgnewbie_121449's avatar
sgnewbie_121449
Icon for Nimbostratus rankNimbostratus
Jan 23, 2013

SSL - F5 sending TCP RST after handshake

We just renewed server's SSL certificate with 2048 bit but now F5 is sending TCP RST to the server after Handshake.

 

It's working when we switch back to the old certificate (1024 bit) without changing F5 config.

 

Here is the SSLdump:

 

1 1 0.0010 (0.0010) C>S Handshake

 

ClientHello

 

Version 3.1

 

cipher suites

 

TLS_RSA_WITH_RC4_128_MD5

 

TLS_RSA_WITH_RC4_128_SHA

 

Unknown value 0x2f

 

Unknown value 0x35

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS_RSA_WITH_DES_CBC_SHA

 

compression methods

 

NULL

 

1 2 0.0024 (0.0013) S>C Handshake

 

ServerHello

 

Version 3.1

 

session_id[32]=

 

50 ff 8c cf 7d cc 68 fe 70 b6 d3 15 6c 6e 7c da

 

f6 32 a3 45 48 53 69 e1 cc a4 f7 1e 68 9a 58 8c

 

cipherSuite TLS_RSA_WITH_RC4_128_MD5

 

compressionMethod NULL

 

Certificate

 

ServerHelloDone

 

1 0.0027 (0.0002) C>S TCP RST

 

 

I could connect to the server using "openssl s_client -cipher 'RC4-SHA' -connect".

 

The server is JBOSS. We're using BIG-IP 9.2.3.

 

Does anyone know why?

 

 

config
design

13 Replies

  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013
    Hi Steve,

     

     

    Yes, we just implemented new internal CA infrastructure. Btw, I've imported the ROOT CA bundle to F5 too.

     

     

    Thanks
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 23, 2013

    OK, and is that bundle configured in the SSLServer profile assigned to the VS, in the Trusted Certificate Authorities setting, on the F5?

     

  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013

    Yes, it's in Trusted Certificate Authorities.

     

    Btw, one of the ROOT CA certificates is showing expiring on Jan 1, 1970 (the cert actually expires in 2048). I read an F5 SOL that I can ignore that and it's a cosmetic only (I've verified the expiry date with openssl x509 command).

     

    Hmm . . .

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 23, 2013
    OK, that's good, any chance it's chained and the bundle needs to be specified in the Chain setting too?
  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013

    I've tried that too.

     

    I believe the problem is between F5 and the server. I manage to apply the new cert on ClientSSL successfully.

     

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 23, 2013
    Hmmm. Any chance you could try installing and specifying the actual certificate the server presents too?
  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013

    I've tried that too but it's still not ok.

     

    Thanks Steve for the response.

     

    Hmm . . .

     

  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013

    Further checks, the new Server's SSL certificate is signed using SHA2. According to SOL6808, my BIG-IP doesn't support SHA2.

     

    I'm trying getting for new cert signed using SHA1. See how it goes