Forum Discussion
SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"
- Nov 07, 2013
I don't believe that cipher message is going to map to a specific cipher and I've only ever seen it when the Proxy SSL is configured. Is that a feature you've enabled?
Enabling debug logging for SSL might help, just remember to set it back when done.
tmsh modify sys db log.ssl.level value debug
tmsh modify sys db log.ssl.level value warning
Just a guess; Proxy SSL is enabled and the backend server is using a cipher which isn't in BIG-IP's DEFAULT cipher list. Just some additional background:
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13389.html
Thanks for your reply, and that link to the KB article.
I do have "Proxy SSL" enabled on both SSL profiles - this is kind of new to me, though- on the 9.3.1 platform, this didn't exist, but it seems like the only way I could get the same functionality on 11.4.1. Frankly, this is a simple setup:
2 backend Web servers A and B. There's a single virtual server for port 80 requests and a single virtual server for port 443 requests. There's an iRule in place on the port 80 VS which simply does "when http request, if URI = (a number ofthings) send it to node A, otherwise send it to B". The port 443 VS has a pool associated with it which only includes Server B - all SSL traffic is sent to Server B.
While I have things set up to do x-forwarded-for on the SSL Virtual Server I don't even know that I care to have that functionality - which raises the question of why I'm doing Proxy SSL at all. The "Server B" webserver has the SSL certificate, key, root CA, intermediate certificates just as the F5 does; maybe I'm making this more complicated, and should configure the SSL Virtual server to simply connect the client directly to Server B for all SSL traffic. I'm just not sure I know how to do that - seems like Proxy SSL is the only way I could get it to work...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com