Forum Discussion
MVPSSL cipher
Hi guys
TLS is weird.
Why is this behavior happening?
The server that receives the client hello sends an alert.
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 688
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 684
Version: TLS 1.2 (0x0303)
The server only allows TLS 1.0.
Our SSL profile is also set to only allow TLS 1.0.
6 Replies
- Daniel_Wolf
Hi,
could you please share more information other than the snippet?
Serverside SSL Profile, Web Server SSL config, full SSL handshake.Cheers
Daniel 
neeeewbieIt's as follows:
ltm profile server-ssl /Common/aaa_SSL_Server_Profile {
app-service none
defaults-from /Common/serverssl
options { dont-insert-empty-fragments no-tlsv1.1 no-tlsv1.2 no-sslv3 }
}I don't know anything about the server-side configuration other than that it only supports TLS 1.0.
The above is a TCP packet dump. Do you know what causes these packets to appear?
- Daniel_Wolf
btw. this snippet won't load
root@(awaf)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge verify Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. ltm profile server-ssl /Common/aaa_SSL_Server_Profile { app-service none defaults-from /Common/serverssl options { dont-insert-empty-fragments no-tlsv1.1 no-tlsv1.2 no-sslv3 } } Validating configuration... 01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/aaa_SSL_Server_Profile). Unexpected Error: Validating configuration process failed.
- Daniel_Wolf
I set this up in my lab and it works. BIG-IP Version 21.0.
I created two virtuals.
The first virtual has a default SSL profile on the client side and a serverside profile that only has TLS 1 enabled. This has the IP 192.168.57.82
A second has a clientssl profile that will only accept TLS 1 and has an iRule attached that will respond 200 OK to any HTTP request. This has the IP 2.2.2.2.This is the traffic flow:
First test.
cURL from F5 to Virtual Server 2
Result: Only TLS 1 works, success.[root@awaf:Active:Standalone] config # openssl s_client -connect 2.2.2.2:443 -tls1 CONNECTED(00000003) depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain --- Server certificate REMOVED --- No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1461 bytes and written 299 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES128-SHASecond test
cURL from F5 to Virtual Server 1, get proper HTTP response and verify TLS 1 from SNAT address to 2.2.2.2
Result:[root@awaf:Active:Standalone] config # curl https://192.168.57.82 -k <html> <head> <title>BIG-IP</title> </head> <body> 200 OK </body> </html>F5 to backend - Client Hello only TLS 1
Backend response - Server Hello only TLS 1
This is my serverssl profile
Here is my complete config as AS3 for you to replay and to test.
I'd start with the first test in your environment to make sure the backend really speaks TLS 1.{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json", "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "TLS1_TEST": { "class":"Tenant", "responder_service": { "class": "Application", "service_http_200": { "class": "Service_HTTPS", "virtualPort": 443, "redirect80": false, "serverTLS": "frontendtls", "virtualAddresses": [ "2.2.2.2" ], "iRules": [{ "use": "rule_http_200" }] }, "frontendtls": { "class": "TLS_Server", "certificates": [ { "certificate": "default_cert" } ], "ssl3Enabled": false, "tls1_0Enabled": true, "tls1_1Enabled": false, "tls1_2Enabled": false, "tls1_3Enabled": false, "dtlsEnabled": false, "dtls1_2Enabled": false }, "default_cert": { "class": "Certificate", "certificate": {"bigip":"/Common/default.crt"}, "privateKey": {"bigip":"/Common/default.key"} }, "rule_http_200": { "class": "iRule", "iRule": { "base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHsKICAgICAgPGh0bWw+CiAgICAgICAgIDxoZWFkPgogICAgICAgICAgICA8dGl0bGU+QklHLUlQPC90aXRsZT4KICAgICAgICAgPC9oZWFkPgogICAgICAgICA8Ym9keT4KICAgICAgICAgICAgMjAwIE9LCiAgICAgICAgIDwvYm9keT4KICAgICAgPC9odG1sPgogICB9Cn0=" } } }, "forwarding_service": { "class": "Application", "service_http": { "class": "Service_HTTPS", "virtualPort": 443, "redirect80": false, "serverTLS": { "bigip": "/Common/clientssl" }, "clientTLS": "backendtls", "virtualAddresses": [ "192.168.57.82" ], "iRules": [{ "use": "rule_vs_forward" }] }, "backendtls": { "class": "TLS_Client", "ssl3Enabled": false, "tls1_0Enabled": true, "tls1_1Enabled": false, "tls1_2Enabled": false, "tls1_3Enabled": false, "dtlsEnabled": false, "dtls1_2Enabled": false }, "rule_vs_forward" : { "class": "iRule", "iRule": { "base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogIHZpcnR1YWwgL1RMUzFfVEVTVC9yZXNwb25kZXJfc2VydmljZS9zZXJ2aWNlX2h0dHBfMjAwCn0=" } } } } } }Good luck
Daniel - neeeewbie
Thank you.
We confirmed that loading the device configuration works, but verifying does not.
We are investigating this issue further.
Thank you for your help.
KerryCirrus
You have a health monitor running? unless you define an SSL profile on it, it will users the default. Also, if more than on server SSL profiles on the VS (i.e. you using SNI) the F5 can select the wrong profiles an a irules need to fix that.
