Forum Discussion
Naresh_N
Nimbostratus
NimbostratusSSL handshake errors
Hi there,
Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3:
Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6:...
Naresh_NNimbostratus
NimbostratusYes it is an actual certificate that I have defined in SSL profile. Not sure what you mean by failing with all browsers. The web sites are mostly working but for these frequent SSL handshake errors from some clients. Curl shows the html from web site - as expected. No new information there.
* STATE: INIT => CONNECT handle 0x6000572f0; line 1090 (connection -5000)
* Rebuilt URL to: https://abc.net
* Added connection 0. The cache now contains 1 members
* Trying 63.128.130.61...
* STATE: CONNECT => WAITCONNECT handle 0x6000572f0; line 1143 (connection 0)
* Connected to abc.net (63.128.130.61) port 443 (0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x6000572f0; line 1240 (connection 0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x6000572f0; line 1254 (connection 0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=ABC, Inc.; OU=Network Operations; CN=*.abc.net
* start date: Apr 9 00:00:00 2015 GMT
* expire date: Apr 3 23:59:59 2016 GMT
* issuer: C=US; O=thawte, Inc.; CN=thawte SHA256 SSL CA
* SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x6000572f0; line 1275 (connection 0)
> GET / HTTP/1.1
> Host: abc.net
> User-Agent: curl/7.45.0
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x6000572f0; line 1337 (connection 0)
* STATE: DO_DONE => WAITPERFORM handle 0x6000572f0; line 1464 (connection 0)
* STATE: WAITPERFORM => PERFORM handle 0x6000572f0; line 1474 (connection 0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 403 Forbidden
< Date: Tue, 17 Nov 2015 15:41:39 GMT
* Server Apache is not blacklisted
< Server: Apache
< Last-Modified: Wed, 23 Apr 2014 23:57:35 GMT
< Accept-Ranges: bytes
< Content-Length: 1212
< Strict-Transport-Security: max-age=500
< X-XSS-Protection: 1
< Cache-Control: max-age=0, no-store
< Content-Type: text/html
<
I wasn't aware of HSTS but headers show:
Strict-Transport-Security: max-age=500
Does it mean its enabled and causing the issue? What does it do and can I disable it if this is the root cause?
Thanks
Naresh