Forum Discussion
SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"
- Nov 07, 2013
I don't believe that cipher message is going to map to a specific cipher and I've only ever seen it when the Proxy SSL is configured. Is that a feature you've enabled?
Enabling debug logging for SSL might help, just remember to set it back when done.
tmsh modify sys db log.ssl.level value debug
tmsh modify sys db log.ssl.level value warning
Just a guess; Proxy SSL is enabled and the backend server is using a cipher which isn't in BIG-IP's DEFAULT cipher list. Just some additional background:
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13389.html
I had a similar error that I was troubleshooting, specifically the error was:
Cipher 9d:5 negotiated is not configured in profile /Common/XXXXXXXX
As Kevin K mentioned above, the cipher that was being selected by the Client and Server in my Proxy SSL connection was not available to the F5. This was tricky to track down as I could not find a reference to 9d:5 anywhere.
A Wireshark capture helped me to identify the cipher selected, below is the snip:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4487
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 81
Version: TLS 1.2 (0x0303)
Random
Session ID Length: 32
Session ID: 50220000c0b5570bb4d67cbf40ce8e742bbda00f380a0d9f...
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Compression Method: null (0)
My theory was a correlation between "9d" in the ltm log and cipher suite 0x009d. A few quick searches didn't reveal much initially, until I removed the leading 0 in front of the 9d and saw on the SOL13163: SSL ciphers supported on BIG-IP platforms (11.x - 12.x) page that "9d" corresponds to "AES256-GCM-SHA384 (0x9d)"
Once I had that I was able to look at what cipher suites were available to my profiles based on the current configuration, which was "DEFAULT".
tmm -serverciphers 'DEFAULT'
Showed me that cipher suite "AES256-GCM-SHA384 (0x9d)" was not an option. However
tmm -serverciphers 'NATIVE'
did show that cipher suite as an option. I modified my ciphers in the custom clientssl and serverssl profiles to use NATIVE instead of DEFAULT and the errors went away because the F5 could now read the traffic.
I realize this is a long explanation on an older post, but I'm hoping to share with anyone else how I arrived at this (the process) so that if someone else ends up here they'll have the steps to follow.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com