Forum Discussion
Naresh_N
Nimbostratus
NimbostratusSSL handshake errors
Hi there,
Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3:
Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6:...
Naresh_NNimbostratus
NimbostratusKevin,
What went wrong here -
363 1 1448048245.1572 (0.0026) C>SV3.2(163) Handshake
ClientHello
Version 3.2
random[32]=
56 4f 76 75 17 79 bb e4 bb 1d 18 6d 65 65 f7 14
60 a5 de 1b 2c dc 2a d7 3d ee 8c d0 0e a4 83 e1
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
363 2 1448048245.1584 (0.0011) S>CV3.2(87) Handshake
ServerHello
Version 3.2
random[32]=
52 c7 9d f6 0f e8 9e c4 39 2d 8e 51 49 ef b4 12
8a 3a 68 15 fe 7b a9 5c a7 de f9 e0 46 27 b0 20
session_id[32]=
1a b0 5c 0b ee 75 50 6f 02 78 ec a2 57 bd f8 f7
e3 72 9d 63 8f 53 a3 07 57 8d 9b 75 26 4d 48 07
cipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
363 3 1448048245.1584 (0.0000) S>CV3.2(2488) Handshake
Certificate
Subject
C=US
ST=California
L=Mountain View
O=abc, Inc.
OU=Network Operations
CN=*.abc.net
Issuer
C=US
O=thawte, Inc.
CN=thawte SHA256 SSL CA
Serial 49 a1 db 0d 32 5e a5 16 dd 0b 5c 71 eb ec f3 6a
Extensions
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Basic Constraints
Extension: X509v3 Certificate Policies
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Authority Key Identifier
Extension: X509v3 CRL Distribution Points
Extension: X509v3 Extended Key Usage
Extension: Authority Information Access
Subject
C=US
O=thawte, Inc.
CN=thawte SHA256 SSL CA
Issuer
C=US
O=thawte, Inc.
OU=Certification Services Division
OU=(c) 2008 thawte, Inc. - For authorized use only
CN=thawte Primary Root CA - G3
Serial 36 34 9e 18 c9 9c 26 69 b6 56 2e 6c e5 ad 71 32
Extensions
Extension: Authority Information Access
Extension: X509v3 Basic Constraints
Critical
Extension: X509v3 Certificate Policies
Extension: X509v3 CRL Distribution Points
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Subject Key Identifier
Extension: X509v3 Authority Key Identifier
363 4 1448048245.1584 (0.0000) S>CV3.2(331) Handshake
ServerKeyExchange
363 5 1448048245.1584 (0.0000) S>CV3.2(4) Handshake
ServerHelloDone
363 6 1448048245.1624 (0.0039) C>SV3.2(70) Handshake
ClientKeyExchange
363 7 1448048245.1641 (0.0017) C>SV3.2(1) ChangeCipherSpec
363 8 1448048245.1642 (0.0000) C>SV3.2(64) Handshake
363 9 1448048245.1644 (0.0001) S>CV3.2(2) Alert
level fatal
value bad_record_mac
363 1448048245.1644 (0.0000) S>C TCP FIN
363 1448048245.1651 (0.0007) C>S TCP FIN