Forum Discussion

Naresh_N's avatar
Naresh_N
Icon for Nimbostratus rankNimbostratus
Nov 13, 2015

SSL handshake errors

Hi there,   Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3:   Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6:...
BIG-IP
clientssl
LTM
openssl
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 17, 2015

Yes, this header indicates that you're using HSTS. Basically, that header tells the browser a few things:

 

  1. For all subsequent requests to this URL, always connect via HTTPS (regardless of the URLs presented to the browser)

     

  2. If for any reason the server's certificate cannot be validated, fail completely. In other words you don't get the option to bypass/ignore the error. It just fails.

     

It's very likely working in cURL because cURL doesn't understand HSTS. The max-age directive is in seconds, and that's how long the browser caches this information. Thankfully you didn't specify the usual 1 week, because it's very difficult to clear that cache. So at the very least you need to uncheck this value in the HTTP profile and wait 500 seconds to allow the browser to forget the setting. You may notice afterwards that the browser will prompt you to ignore the untrusted cert.