Forum Discussion

Ajit's avatar
Ajit
Icon for Altostratus rankAltostratus
Jun 22, 2018

SSL handshake failure using serverssl (F5 and Citrix Netscaler)

Hello F5 Experts, I am getting fatal ssl handshake failure(40) right after the server hello message from the Citrix Netscaler which sits and the vendor location. I can see in wireshark that the TLS...
BIG-IP
LTM
security
  • Anesh's avatar
    Anesh
    Jun 25, 2018

    can you change Secure Negotiation to Request and test

     

Chase_Abbott's avatar
Chase_Abbott
Icon for Employee rankEmployee
Jun 22, 2018

SSL profile config may also help. Wildcard should be fine. If you're on a version prior to 11.4, the length of the wildcard cert chain could present a problem if it exceeds 32k.

 

https://support.f5.com/csp/article/K17050

 

There could be another requirement on either side that is not being met. HSTS or master secret extensions could also play factors.

 

https://support.f5.com/csp/article/K34019109

 

The cert should be negotiated at the time of failure as seen in: https://devcentral.f5.com/s/feed/0D51T00006i7gXVSAY

 

The cert exchange should happen next and contain it's own cert and possibly an intermediary CA. They should be using a standard trusted root CA but if they're not, you'll want to have their cert chain in our system to validate.

 

https://devcentral.f5.com/s/feed/0D51T00006i7WonSAE

 

But if you can, provide your SSL profile config and the Netscalars and as Anesh stated, your VIP config. That will help determine where the handshake failure may reside.

 

If you can provide the contents of their cert (cert NOT key) and chain, that would be easy to identify if it's a one-off or weird multi-chain cert.