Forum Discussion
Zuke_254875
Altostratus
AltostratusSSL handshake failure during SSO
Both our production and non-production service desk applications use SSO.
User connects to application VIP, which redirects users to the SSO VIP on 443.
The F5 configuration for these two ...
Zuke
Cirrostratus
CirrostratusKevin, both situations result in a failure.
In both instances, the F5 is the server.
I asked the customer if he can change the ciphers on the application servers, since I'm not allowed to make a change to my F5 configuration. Here is the config of the parent clientssl profile showing the defined ciphers, which I believe don't match up with any ciphers in the client hello
ltm profile client-ssl /Common/default_cert_clientssl_profile {
app-service none
cert /Common/default.crt
cert-key-chain {
default {
cert /Common/default.crt
key /Common/default.key
}
}
chain none
ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:AES256-G
CM-SHA384:AES256-SHA256:!SHA1:!SSLv3:!TLSv1:!TLSv1_1
defaults-from /Common/clientssl
inherit-certkeychain true
key /Common/default.key
passphrase none
renegotiation disabled
}
When I compare the ciphers allowed in the clientssl profile and what was sent in the Client Hello packet, it looks to me like there are no ciphers that both sides agree upon.
Client Hello:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Client SSL profile:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA384
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-SHA256
- AES256-GCM-SHA384:AES256-SHA256
- !SHA1
- !SSLv3
- !TLSv1
- !TLSv1_1