Forum Discussion
David_M
Cirrostratus
CirrostratusSSL Debug doesn't give any details
I am getting ssl handshake failures for a basic 443 VIP with a client ssl profile root@(bigip2)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list sys db log.ssl.level
sys db log.ssl.level {...
Hello David.
I recommend you to disable "generic alert" in the ssl profile (client/server) to see more details.
KR,
Dario.
David_MCirrostratus
CirrostratusDid it still it shows nothing like the kb article says it should.
Its just that single line of ssl handshake failure and the cipher info which i log with irules
Jul 8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: caca,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a
Jul 8 12:18:10 bigip2 info tmm6[12766]: 01260013:6: SSL Handshake failed for TCP 172.22.200.113:33589 -> 10.1.61.62:443
Jul 8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384
Jul 8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: 2a2a,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a
Jul 8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384Which KB article are you talking about? Also, which version are you talking about?
You can take a packet capture with generic-alert turned off like DavidMas advised and decrypt the capture on Wireshark.
- David_M
I am not trying to decrypt anything but looking for the handshake failure reason.
Which version of BIG-IP are you using?
- David_M
I tried this on 12.x and 13.x, so ssl debug should give me the reasons anyway , and then i disabled the generic alert in the profile too, but still nothing in the ltm log.
In the pcap I do see fatal errors, I am thinking this is just because this cert i am using is not a browser trusted one as of now.
But i dont see why that should cause ssl handshake failures.
- David_M
Well i replaced the certificate with a proper certificate the handshake failure errors are indeed gone now!
Cool! Was that on the server side? Did you disable generic-alert on server-ssl profile?
- David_M
The backend pool is on port 80 and i was using client ssl only.
I did not have a properly signed cert, now i added the root to my browser and changed the cert in client ssl and the HS failure is gone, . .how did it allow the connection if the HS fails is what i am thinking.
What do you mean it allowed the connection? From your Wireshark capture, the handshake failed.
- David_M
Yes even after the HS failing the website opened fine in the browser, is this normal?
- David_M
Hi Rodrigo,
Well I was still able to see in the capture that the SSL handshake still throws the same error but it then continues to load the page.
