SSL cipher

Question

Hi guys&nbsp;
&nbsp;
TLS is weird.
Why is this behavior happening?
&nbsp;
The server that receives the client hello sends an alert.
Transport Layer Security&nbsp;&nbsp;&nbsp; TLSv1.2 Record Layer: Handshake Protocol: Client Hello&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Content Type: Handshake (22)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Version: TLS 1.0 (0x0301)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Length: 688&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Handshake Protocol: Client Hello&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Handshake Type: Client Hello (1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Length: 684&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Version: TLS 1.2 (0x0303)
&nbsp;
The server only allows TLS 1.0.
Our SSL profile is also set to only allow TLS 1.0.

daniel_wolf · Answer

Hi,
could you please share more information other than the snippet?Serverside SSL Profile, Web Server SSL config, full SSL&nbsp;handshake.
CheersDaniel

daniel_wolf · Answer

I set this up in my lab and it works. BIG-IP Version 21.0.
I created two virtuals. The first virtual has a default SSL profile on the client side and a serverside profile that only has TLS 1 enabled. This has the IP 192.168.57.82A second has a clientssl profile that will only accept TLS 1 and has an iRule attached that will respond 200 OK to any HTTP request. This has the IP 2.2.2.2.
This is the traffic flow:

First test.cURL from F5 to Virtual Server 2Result: Only TLS 1 works, success.
[root@awaf:Active:Standalone] config # openssl s_client -connect 2.2.2.2:443 -tls1
CONNECTED(00000003)
depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = WA, L = Seattle, O = MyCompany, OU = IT, CN = localhost.localdomain, emailAddress = root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
REMOVED
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1461 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA

&nbsp;
Second testcURL from F5 to Virtual Server 1, get proper HTTP response and verify TLS 1 from SNAT address to 2.2.2.2Result:&nbsp;
[root@awaf:Active:Standalone] config # curl https://192.168.57.82 -k

&lt;html&gt;
         &lt;head&gt;
            &lt;title&gt;BIG-IP&lt;/title&gt;
         &lt;/head&gt;
         &lt;body&gt;
            200 OK
         &lt;/body&gt;
      &lt;/html&gt;

F5 to backend - Client Hello only TLS 1

&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
Backend response - Server Hello only TLS 1

&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
This is my serverssl profile

&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;
Here is my complete config as AS3 for you to replay and to test.I'd start with the first test in your environment to make sure the backend really speaks TLS 1.
{
    "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "TLS1_TEST": {
            "class":"Tenant",
            "responder_service": {
                "class": "Application",
                "service_http_200": {
                    "class": "Service_HTTPS",
                    "virtualPort": 443,
                    "redirect80": false,
                    "serverTLS": "frontendtls",
                    "virtualAddresses": [
                        "2.2.2.2"
                    ],
                    "iRules": [{
                        "use": "rule_http_200"
                    }]
                },
                "frontendtls": {
                    "class": "TLS_Server",
                    "certificates": [
                        {
                            "certificate": "default_cert"
                        }
                    ],
                    "ssl3Enabled": false,
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": false,
                    "tls1_2Enabled": false,
                    "tls1_3Enabled": false,
                    "dtlsEnabled": false,
                    "dtls1_2Enabled": false
                },
                "default_cert": {
                    "class": "Certificate",
                    "certificate": {"bigip":"/Common/default.crt"},
                    "privateKey": {"bigip":"/Common/default.key"}
                },
                "rule_http_200": {
                    "class": "iRule",
                    "iRule": {
                        "base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogICBIVFRQOjpyZXNwb25kIDIwMCBjb250ZW50IHsKICAgICAgPGh0bWw+CiAgICAgICAgIDxoZWFkPgogICAgICAgICAgICA8dGl0bGU+QklHLUlQPC90aXRsZT4KICAgICAgICAgPC9oZWFkPgogICAgICAgICA8Ym9keT4KICAgICAgICAgICAgMjAwIE9LCiAgICAgICAgIDwvYm9keT4KICAgICAgPC9odG1sPgogICB9Cn0="
                    }
                }
            },
            "forwarding_service": {
                "class": "Application",
                "service_http": {
                    "class": "Service_HTTPS",
                    "virtualPort": 443,
                    "redirect80": false,
                    "serverTLS": { "bigip": "/Common/clientssl" },
                    "clientTLS": "backendtls",
                    "virtualAddresses": [
                        "192.168.57.82"
                    ],
                    "iRules": [{
                        "use": "rule_vs_forward"
                    }]
                },
                "backendtls": {
                    "class": "TLS_Client",
                    "ssl3Enabled": false,
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": false,
                    "tls1_2Enabled": false,
                    "tls1_3Enabled": false,
                    "dtlsEnabled": false,
                    "dtls1_2Enabled": false
                },
                "rule_vs_forward" : {
                    "class": "iRule",
                    "iRule": {
                        "base64": "d2hlbiBIVFRQX1JFUVVFU1QgewogIHZpcnR1YWwgL1RMUzFfVEVTVC9yZXNwb25kZXJfc2VydmljZS9zZXJ2aWNlX2h0dHBfMjAwCn0="
                    }
                }
            }
        }
    }
}
&nbsp;
Good luckDaniel

neeeewbie · Answer

It's as follows:
ltm profile server-ssl /Common/aaa_SSL_Server_Profile {&nbsp;&nbsp;&nbsp; app-service none&nbsp;&nbsp;&nbsp; defaults-from /Common/serverssl&nbsp;&nbsp;&nbsp; options { dont-insert-empty-fragments no-tlsv1.1 no-tlsv1.2 no-sslv3 }}

&nbsp;

I don't know anything about the server-side configuration other than that it only supports TLS 1.0.
The above is a TCP packet dump. Do you know what causes these packets to appear?

daniel_wolf · Answer

btw. this snippet won't load
root@(awaf)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config from-terminal merge verify 
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm profile server-ssl /Common/aaa_SSL_Server_Profile {
    app-service none
    defaults-from /Common/serverssl
    options { dont-insert-empty-fragments no-tlsv1.1 no-tlsv1.2 no-sslv3 }
}
Validating configuration...
01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/aaa_SSL_Server_Profile).
Unexpected Error: Validating configuration process failed.
&nbsp;

neeeewbie · Answer

Thank you.
We confirmed that loading the device configuration works, but verifying does not.
We are investigating this issue further.
Thank you for your help.

Forum Discussion

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Query on source IP preservation for syslog traffic through F5 virtual server

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Related Content

SSL Profiles Part 4: Cipher Suites

Cipher Suite Practices and Pitfalls

BIG-IP SSL Cipher History

SSL Ciphers (SSLLabs) Warning

Future-Proofing Your Network: Enabling Quantum Ciphers on F5 BIG-IP TMOS 17.5.1