Forum Discussion

Joe_Volesky_969's avatar
Joe_Volesky_969
Icon for Nimbostratus rankNimbostratus
Nov 07, 2013

SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"

I recently moved an HTTPS Virtual Server from an old LTM (running 9.3.1) to a new pair of load balancers running 11.4.1. This particular Virtual Server is using both a client SSL profile and a serve...
cipher
management
security
ssl
ssl profile
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Nov 07, 2013

    I don't believe that cipher message is going to map to a specific cipher and I've only ever seen it when the Proxy SSL is configured. Is that a feature you've enabled?

     

    Enabling debug logging for SSL might help, just remember to set it back when done.

     

    tmsh modify sys db log.ssl.level value debug

     

    tmsh modify sys db log.ssl.level value warning

     

    Just a guess; Proxy SSL is enabled and the backend server is using a cipher which isn't in BIG-IP's DEFAULT cipher list. Just some additional background:

     

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13389.html

     

Troy_Murray_196's avatar
Troy_Murray_196
Icon for Cirrus rankCirrus
Oct 11, 2016

I had a similar error that I was troubleshooting, specifically the error was:

Cipher 9d:5 negotiated is not configured in profile /Common/XXXXXXXX

As Kevin K mentioned above, the cipher that was being selected by the Client and Server in my Proxy SSL connection was not available to the F5. This was tricky to track down as I could not find a reference to 9d:5 anywhere.

A Wireshark capture helped me to identify the cipher selected, below is the snip:

Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 4487
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 81
        Version: TLS 1.2 (0x0303)
        Random
        Session ID Length: 32
        Session ID: 50220000c0b5570bb4d67cbf40ce8e742bbda00f380a0d9f...
        Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
        Compression Method: null (0)

My theory was a correlation between "9d" in the ltm log and cipher suite 0x009d. A few quick searches didn't reveal much initially, until I removed the leading 0 in front of the 9d and saw on the SOL13163: SSL ciphers supported on BIG-IP platforms (11.x - 12.x) page that "9d" corresponds to "AES256-GCM-SHA384 (0x9d)"

Once I had that I was able to look at what cipher suites were available to my profiles based on the current configuration, which was "DEFAULT".

tmm -serverciphers 'DEFAULT'

Showed me that cipher suite "AES256-GCM-SHA384 (0x9d)" was not an option. However

tmm -serverciphers 'NATIVE'

did show that cipher suite as an option. I modified my ciphers in the custom clientssl and serverssl profiles to use NATIVE instead of DEFAULT and the errors went away because the F5 could now read the traffic.

I realize this is a long explanation on an older post, but I'm hoping to share with anyone else how I arrived at this (the process) so that if someone else ends up here they'll have the steps to follow.