Forum Discussion
Zuke_254875
Altostratus
AltostratusSSL handshake failure during SSO
Both our production and non-production service desk applications use SSO.
User connects to application VIP, which redirects users to the SSO VIP on 443.
The F5 configuration for these two ...
Zuke
Cirrostratus
CirrostratusAlright, so we got a new SSL certificate and my theory does not appear to be correct. The clientssl parent profile has been changed to the clientssl-insecure-compatible
Here is a copy of the SSLDUMP:
New TCP connection 22: 192.168.105.92(59853) <-> 192.168.28.140(443)
22 1 0.0012 (0.0012) C>SV3.3(161) Handshake
ClientHello
Version 3.3
random[32]=
5b 8e d9 0f 64 f5 32 7b 1c 0b fc 92 41 a8 82 7e
cb f4 c2 0b 6a 7f f6 f9 30 0a f8 5c f6 85 17 bc
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
22 2 0.0036 (0.0024) S>CV3.3(87) Handshake
ServerHello
Version 3.3
random[32]=
75 aa a3 00 16 c9 d3 98 56 56 25 51 f6 1c 62 bc
2b a1 99 ea 0b 79 9b d9 9b b8 df c8 86 e8 7c 24
session_id[32]=
aa 00 6c db 7f c5 60 3f 93 c9 50 e3 e6 0d 08 c7
34 e2 db 94 60 26 d7 30 42 be 6a a8 b6 9d 58 d7
cipherSuite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
22 3 0.0036 (0.0000) S>CV3.3(4491) Handshake
Certificate
Subject
CN=itsdtest.example.com
Issuer
DC=com
DC=example
CN=InternalCA
Serial 5a 00 00 80 b0 f0 2d 42 8b 48 43 0b bf 00 01 00
00 80 b0
Extensions
Extension: X509v3 Key Usage
Extension: X509v3 Subject Key Identifier
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Authority Key Identifier
Extension: X509v3 CRL Distribution Points
Extension: Authority Information Access
Extension: 1.3.6.1.4.1.311.21.7
Extension: X509v3 Extended Key Usage
Extension: 1.3.6.1.4.1.311.21.10
Subject
DC=com
DC=example
CN=InternalCA
Issuer
CN=InternalCAroot
Serial 44 00 00 00 03 5e eb 3e 5c 75 84 80 b2 00 00 00
00 00 03
Extensions
Extension: 1.3.6.1.4.1.311.21.1
Extension: 1.3.6.1.4.1.311.21.2
Extension: X509v3 Subject Key Identifier
Extension: 1.3.6.1.4.1.311.20.2
Extension: X509v3 Key Usage
Extension: X509v3 Basic Constraints
Critical
Extension: X509v3 Authority Key Identifier
Extension: X509v3 CRL Distribution Points
Extension: Authority Information Access
Subject
CN=InternalCAroot
Issuer
CN=InternalCAroot
Serial 1c 53 ec 09 e5 3f 49 ab 46 69 30 03 1c 2c eb 61
Extensions
Extension: X509v3 Key Usage
Extension: X509v3 Basic Constraints
Critical
Extension: X509v3 Subject Key Identifier
Extension: 1.3.6.1.4.1.311.21.1
22 4 0.0036 (0.0000) S>CV3.3(333) Handshake
ServerKeyExchange
22 5 0.0036 (0.0000) S>CV3.3(4) Handshake
ServerHelloDone
22 6 0.0042 (0.0006) C>SV3.3(2) Alert
level fatal
value certificate_unknown
22 0.0042 (0.0000) C>S TCP FIN
22 0.0043 (0.0000) S>C TCP FIN