Forum Discussion
NimbostratusSSL Error when requests come from proxy
Hello, I have a problem with some Virtual Servers on LTM.
I use SSLClient Profiles so the dialog between F5 and server is uncrypted. All the parameters are the default ones.
This configuration works well with local clients (those are clients from the known network, they don't use any Proxy on their webbrowser).
This same configuration doesn't work with distant clients, which I know are using their own proxy.
Do you have any trail for me?
6 Replies
Brad_ParkerCirrus
What kind of problem are you encountering? Doesn't work is very vague. Are they receiving SSL errors? Are they failing a SSL handshake? Are they even completing the TCP handshake?
Merry95_171142Actually, I have no error log in /var/log/ltm, and the errors the client is sending us are :
- a java error
16/02 16:19:16 [ERROR] ue.GestionPreconisationFacadeMetier - log exception CEC, error message: ; nested exception is: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure '
- a Proxy error (Bluecoat)
Feb 17 11:26:51 STIB0515 2015-02-17 10:26:39 15 - 172.30.201.132 172.30.201.139 - - - PROXIED "none" - 200 TCP_ACCELERATED CONNECT - tcp wscontrat.rmoa.xxx.fr 8096 / - - "Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0" 172.30.201.139 39 268 0 - "unavailable" "unavailable" - - identity - - 172.30.201.139 - tcp://wscontrat.rmoa.xxx.fr:8096/ Feb 17 11:26:51 STIB0515 2015-02-17 10:26:39 25 - 172.30.201.132 172.30.101.132 - - - PROXIED "none" - 0 FAILED unknown - ssl wscontrat.rmoa.xxx.fr 8096 / - - - 172.30.201.139 0 0 0 - "unavailable" "unavailable" - - - - - 172.30.101.132 - ssl://wscontrat.rmoa.xxx.fr:8096/
- I have also a pcap that shows a client Hello, and then a Handshake Failure (Level: Fatal, Description: Handshake Failure) in SSLv3
- Brad_ParkerIt sounds like your proxy and you client ssl profile don't have an overlap in you configured SSL ciphers list. What's you BigIP version, client ssl profile ciphers list, and the list/ssl version in the client Hello?
- Merry95_171142
I'm using the LTM 11.6.0. The SSL profiles are simple, with all default parameters and default ciphers, only the key and certificate from a pk12 file.
I could check on my captures and I can see :
1- a ssl Hanshake succedded when
- The client sends a Client Hello in SSLv2 - in the cipher List there is TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039, that is the choosen cipher - F5 answers in TSL 1.0 with the cipher above2- a SSL Hanshake failed when
- the client sends a Client Hello in SSLv3 - in the cipher list, there TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 - F5 answers in SSL v3 a fatal Handshake Failure (code 40)So why is it rigth from a SSLv2 Client Hello but not from SSLv3 (with the same valid cipher presented)? why F5 can't switch to TLS when in response of SSLv3 request?
- nitass
Employee
can you try ALL ciphers (instead of DEFAULT)?
enabling ssl debug may also be useful.
sol15292: Troubleshooting SSL / TLS handshake failures
https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html - Brad_Parker
Your client is most likely sending an SSLv2 compatible hello that also states that he can talk TLS as well. The proxy is sending SSLv3 hello, which means it can only negotiate up to SSLv3. The default cipher list in 11.5+ disables SSLv3, which is why your proxy is failing to complete the SSL handshake. You will either need to configure the proxy to use TLS or change your cipher list to include SSLv3 like this:
. That would be the same as DEFAULT in 11.6 with the addition of SSLv3. I would suggest changing the proxy as SSLv3 is very vulnerable and no longer considered to be secure. PCI-DSS has also now officially stated it is not compliant to use SSLv3 at all.!LOW:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA
