Forum Discussion
SSL handshake errors
Hi there,
Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3:
Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 72.238.29.206:60819 -> x.x.x.x:443 Nov 12 03:15:55 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 96.241.137.52:50815 -> x.x.x.x:443 Nov 12 03:16:12 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 166.172.187.30:38119 -> x.x.x.x:443 Nov 12 03:16:32 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: hud_ssl_handler:1135: codec alert (20) Nov 12 03:16:32 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP y.y.y.y:63127 -> z.z.z.z:443 Nov 12 03:18:53 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: ssl_hs_rxhello:7103: unsupported version (40)
Did ssldump and ssl debugs but can't figure it out. There are no low encryption ciphers being presented by clients. In fact I don't see any handshake errors in the packet captures. Its pretty baffling. Would be great if someone can throw some light. Techs at F5 haven't been able to figure it out either.
Thanks Naresh
- Kevin_StewartEmployee
Great, so first step is to turn it off at the server. If you can't do that, try this simple iRule to remove it from responses:
when HTTP_RESPONSE { if { [HTTP::header exists "Strict-Transport-Security" } { HTTP::header remove "Strict-Transport-Security" } }
If that does the trick, then you just need to wait that 500 seconds for the cache to timeout and then try again.
- Naresh_NNimbostratus
From header it seems like server is sending it but I haven't configured it on bigip.
< Strict-Transport-Security: max-age=500
- Kevin_StewartEmployee
Not clients. Servers. If you're seeing this header at the client, then someone is sending it.
- Naresh_NNimbostratus
No its not configured in an iRule and No clients are not configured to send it.
- Kevin_StewartEmployee
Hit send too soon. This isn't enabled by default in a v12 HTTP profile, so do you have an iRule sending it? Can you tell if the application server is configured to send it?
- Kevin_StewartEmployee
Look at the HTTP profile in the GUI. This is v12?
Not sure about clients being able to do that and cause handshake errors?
The point is that a modern browser will fail on trust issues if this header is present.
- Naresh_NNimbostratus
I don't see it
[root@xxx:Active:In Sync] config grep hsts bigip.conf [root@xxx:Active:In Sync] config
Not sure about clients being able to do that and cause handshake errors?
- Kevin_StewartEmployee
If this is v12 you should definitely see an hsts setting in HTTP profile. In either case, in the HTTP profile assigned to this VIP, do you see the HTTP Strict Transport Security option (at the botton of the profile)? And if so is it enabled? If it's not enabled, is it possible that the application itself is sending the HSTS header?
- Naresh_NNimbostratus
Kevin,
I should see this in my bigip.conf profile:
hsts { mode enabled }
but I am not seeing it there. Search for hsts in bigip.conf didn't find anything. Not sure what this means.
Naresh
- Kevin_StewartEmployee
Yes, this header indicates that you're using HSTS. Basically, that header tells the browser a few things:
-
For all subsequent requests to this URL, always connect via HTTPS (regardless of the URLs presented to the browser)
-
If for any reason the server's certificate cannot be validated, fail completely. In other words you don't get the option to bypass/ignore the error. It just fails.
It's very likely working in cURL because cURL doesn't understand HSTS. The max-age directive is in seconds, and that's how long the browser caches this information. Thankfully you didn't specify the usual 1 week, because it's very difficult to clear that cache. So at the very least you need to uncheck this value in the HTTP profile and wait 500 seconds to allow the browser to forget the setting. You may notice afterwards that the browser will prompt you to ignore the untrusted cert.
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com