SSL error "record_overflow"

Question

Hi, 
I'm trying ti troubleshoot SSL RST from the F5 VS, and the RST cause is
RST cause: [1915701:1666] {peer} SSL error (record_overflow(22)-C&nbsp;
actually I don't know what this issue implies to?
I found this link, but I don't know what the required action.
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14819.html&nbsp;
be noted that the version is 11.4.1, and platform 3600&nbsp;

amolari · Answer

it seems this is an error msg that can show up when connecting with ssl to a HTTP service. Are the pool members and backend servers properly configured?&nbsp;

kevin_stewart · Answer

Which side is sending the reset? A record overflow is usually when one side sends more data than the peer can handle, for example when a server sends its certificate and a very long list of subordinate CAs in its ServerHello message.
If you do an openssl s_client from the BIG-IP shell you should be able to see what's happening:
openssl s_client -connect [server ip:port]

I'd also run an ssldump to watch data plane traffic between the BIG-IP and server:
ssldump -AdNn -i 0.0 port 443 and host [ip of server]

kevin_stewart · Answer

Yes, but:&nbsp;

Who is sending the reset?&nbsp;

Do an ssldump and watch the actual data plane SSL handshake. What do you see? Is the server's response too big?&nbsp;

kevin_stewart · Answer

Okay, so a few more questions.&nbsp;
You mentioned the backend servers are also doing SSL. Does that mean you're decrypting at the F5 with a client SSL profile and re-encrypting to the servers with a server SSL profile?&nbsp;
If so, is the SSL error happening on the client side (client to F5) or server side (F5 to server)?&nbsp;
Do you have secure renegotiation disabled in either of the SSL profiles?&nbsp;

kevin_stewart · Answer

Okay, so the error is happening on the client side and the F5 is sending the reset (and I'm assuming the SSL error). So is this a persistent error, or intermittent? Just for you or all users? Browers and cURL/OpenSSL s_client? The old SSL renegotiation attack could generate this error, but you'd be seeing a lot of SSL traffic hitting the box. Barring an unforeseen bug in that platform and version, the two main reasons to get that error are generally too many SSL renegotiation attempts or simply too much information in a given handshake message. Are you doing client certificate (mutual PKI) authentication?&nbsp;

Forum Discussion

SSL error "record_overflow"

5 Replies

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

f5 r5600 appliance issue with adding trunk to vlan

SSL Forward Proxy, iRules and Client Hello

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

Related Content

SSL Forward Proxy – Certificate Error Graceful Failure

SSL Profiles Part 6: SSL Renegotiation

SSL Orchestrator Service Extensions: DoH Guardian

Introduction to BIG-IP SSL Orchestrator

SSL Profiles Part 5: SSL Options

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS