Forum Discussion
SSL handshake failure using serverssl (F5 and Citrix Netscaler)
- Jun 25, 2018
can you change Secure Negotiation to Request and test
SSL profile config may also help. Wildcard should be fine. If you're on a version prior to 11.4, the length of the wildcard cert chain could present a problem if it exceeds 32k.
 
https://support.f5.com/csp/article/K17050
 
There could be another requirement on either side that is not being met. HSTS or master secret extensions could also play factors.
 
https://support.f5.com/csp/article/K34019109
 
The cert should be negotiated at the time of failure as seen in: https://devcentral.f5.com/s/feed/0D51T00006i7gXVSAY
 
The cert exchange should happen next and contain it's own cert and possibly an intermediary CA. They should be using a standard trusted root CA but if they're not, you'll want to have their cert chain in our system to validate.
 
https://devcentral.f5.com/s/feed/0D51T00006i7WonSAE
 
But if you can, provide your SSL profile config and the Netscalars and as Anesh stated, your VIP config. That will help determine where the handshake failure may reside.
 
If you can provide the contents of their cert (cert NOT key) and chain, that would be easy to identify if it's a one-off or weird multi-chain cert.
 
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com