Forum Discussion
Emad
Cirrostratus
CirrostratusSSL handshake Failure
one of my VIP were using ssl profiles, I updated ciphers in my ssl profile not to use RC4 and then changes were reverted to default. but after that i am unable to open that site in browser. After checking SSL dump i can see ssl handshake failure. i.e New TCP connection 4: 172.16.2.83(55847) <-> 199.96.220.18(6443) 4 1 1398154000.3027 (0.3390) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 53 56 23 77 70 87 2f d4 74 d1 e7 b0 ac 3d 16 ab 18 6d 3e 14 e6 1b bb 28 c1 87 0c 7d 33 0f 9c 0d cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA compression methods NULL 4 2 1398154000.3027 (0.0000) S>CV3.1(2) Alert level fatal value handshake_failure 4 1398154000.3028 (0.0000) S>C TCP FIN 4 1398154000.6416 (0.3388) C>S TCP FIN
nitassEmployee
is clienthello cipher included in clientssl profile?
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHAsol13156: SSL ciphers used in the default SSL profiles (11.x)
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html
Emadtmsh list ltm profile client-ssl star.mysite.com all-properties ltm profile client-ssl star.mysite.com {
alert-timeout 60 allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 ca-file ca-bundle.crt cache-size 20000 cache-timeout 3600 cert mysite.com_2011.crt cert-extension-includes none cert-lifespan 30 chain geotrust_inter_2011.crt ciphers RC4:!SSLv2:!EXPORT40:!EXP:!LOW client-cert-ca none crl-file none defaults-from clientssl description none handshake-timeout 60 key mysite.com_2011.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } partition Common passphrase none peer-cert-mode ignore proxy-ca-cert none proxy-ca-key none proxy-ca-passphrase none proxy-ssl disabled renegotiate-max-record-delay 10 renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require server-name none session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled strict-resume disabled unclean-shutdown enabled}
- nitass
which was clientssl profile used when having an issue? was it star.mysite.com or clientssl?
- Emad
star.mysite.com.
- nitass
star.mysite.com.
is it inherited from clientssl profile? is ciphers set to RC4:!SSLv2:!EXPORT40:!EXP:!LOW?
tmsh list ltm profile client-ssl star.mysite.com all-properties - Emad
tmsh list ltm profile client-ssl star.mysite.com all-properties ltm profile client-ssl star.mysite.com {
alert-timeout 60 allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 ca-file ca-bundle.crt cache-size 20000 cache-timeout 3600 cert mysite.com_2011.crt cert-extension-includes none cert-lifespan 30 chain geotrust_inter_2011.crt ciphers RC4:!SSLv2:!EXPORT40:!EXP:!LOW client-cert-ca none crl-file none defaults-from clientssl description none handshake-timeout 60 key mysite.com_2011.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } partition Common passphrase none peer-cert-mode ignore proxy-ca-cert none proxy-ca-key none proxy-ca-passphrase none proxy-ssl disabled renegotiate-max-record-delay 10 renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require server-name none session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled strict-resume disabled unclean-shutdown enabled}
- nitass
yes it is.
so, doesn't it work as expected (connection is terminated) since clienthello cipher suite does not contain rc4?
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - Emad
No its not working. Whenever it try to connect it. Browser do not load any thing. and from tcpdump/ssldump. I only get this information.
This is the lates one
{
New TCP connection 38: 172.16.2.83(59404) <-> 199.96.220.18(6443)
38 1 1398157934.8606 (0.3549) C>SV3.1(123) Handshake
ClientHello Version 3.1 random[32]= 53 56 32 d6 73 79 f1 55 ce d9 0c ae a5 fe b1 f3 fb d3 0b 3b 0c f0 32 8b 7d 63 c0 43 20 cf de 1f cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA compression methods NULL38 2 1398157934.8607 (0.0001) S>CV3.1(2) Alert level fatal value handshake_failure 38 1398157934.8607 (0.0000) S>C TCP FIN
- nitass
you are using star.mysite.com clientssl profile, aren't you?
RC4:!SSLv2:!EXPORT40:!EXP:!LOW is set as ciphers in star.mysite.com clientssl profile (according to tmsh list ltm profile client-ssl star.mysite.com all-properties), isn't it?
if yes, i understand not-working is expected behavior because there is no rc4 in clienthello cipher suite.
do i misunderstand something?
- nitass
What would be the rectification for it. ?
you can set ciphers in star.mysite.com clientssl profile to DEFAULT or ALL, can't you?