Forum Discussion

Cirrostratus

Apr 22, 2014

SSL handshake Failure

one of my VIP were using ssl profiles, I updated ciphers in my ssl profile not to use RC4 and then changes were reverted to default. but after that i am unable to open that site in browser. After checking SSL dump i can see ssl handshake failure. i.e New TCP connection 4: 172.16.2.83(55847) <-> 199.96.220.18(6443) 4 1 1398154000.3027 (0.3390) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 53 56 23 77 70 87 2f d4 74 d1 e7 b0 ac 3d 16 ab 18 6d 3e 14 e6 1b bb 28 c1 87 0c 7d 33 0f 9c 0d cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA compression methods NULL 4 2 1398154000.3027 (0.0000) S>CV3.1(2) Alert level fatal value handshake_failure 4 1398154000.3028 (0.0000) S>C TCP FIN 4 1398154000.6416 (0.3388) C>S TCP FIN

application delivery

BIG-IP Access Policy Manager (APM)

12 Replies

Emad
Cirrostratus
Apr 22, 2014
Now CIPHER Set is changed to

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256

I am unable to understand even RC4 was included, why it was not working. Can you guide.
Kevin_Stewart
Employee
Apr 22, 2014
You specified RC4 in your client SSL cipher string and, it would seem, never changed that.

RC4:!SSLv2:!EXPORT40:!EXP:!LOW

This cipher list represents the server's cipher capability, and since the client wasn't presenting any RC4 ciphers, the session was terminated. Changing the cipher string back to "DEFAULT" would have solved that problem.