Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Apr 13, 2017

SSL Bridging failing for one of the applications

Hi Experts,

 

I have enable SSL bridging for an application. The backend server is listening on 8443(https) and VIP on https with SNAT auto-map, however its failing when I try to access the VIP.

 

The same configuration works from my other F5. I would like to understand the reason why the SSL bridging is failing? I have other applications on the same F5 appliance which are working, only for this application its failing.

 

I request you to guide me with the troubleshooting on this. Many thanks.

 

application delivery
LTM
TMSH
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Apr 13, 2017

    You have 2 options when changing the ciphers on the server to avoid this issue.

    1) Disable DHE and use ECDHE or RSA instead in custom serverssl profile(F5). or 2) Configure the server to support a stronger key length for DHE.

    After that user 

    custom serverssl
    profile on VIP. issue will solved.

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Apr 13, 2017

    Are you using any certificate at back-end? Is it same version of F5? Please take the TCPdump & chrome developer tool to see packet

     

    • newf5learner's avatar
      newf5learner
      Icon for Nimbostratus rankNimbostratus
      Apr 13, 2017

      hi..

       

      Its the same version of F5s. on the non-working F5, I have changed the server-ssl profile on use 'serverssl-insecure-compatible' and it started working. But I don't want to use it with this weak server-ssl profile, I would like to use some cipher suites with minimum strength.

       

      Can you let me know how to identify the cipher suites the support support and hardcore them on a specific server-ssl profile - I can hardware. But I need help in identifying the cipher suites that server support in this.

       

      thanks.

       

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent
      Apr 13, 2017

      Looks like your server is using ssl certificate with weak cipher. Take the packet capture & modify server cipher setting.

       

    • newf5learner's avatar
      newf5learner
      Icon for Nimbostratus rankNimbostratus
      Apr 13, 2017

      Yes. However its not listing me anything when I looked in the SSLDUMP. Can you let me know if I'm following what you are suggesting me to do. 

      1 2  0.0079 (0.0074)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          8a 4a 8f 1e 11 f0 e3 e9 45 d4 e2 6b e6 a5 2a b7 

        **cipherSuite         Unknown value 0xc014**
        compressionMethod                   NULL
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Apr 13, 2017

    You have 2 options when changing the ciphers on the server to avoid this issue.

    1) Disable DHE and use ECDHE or RSA instead in custom serverssl profile(F5). or 2) Configure the server to support a stronger key length for DHE.

    After that user 

    custom serverssl
    profile on VIP. issue will solved.