Forum Discussion
NimbostratusSSL handshake is not getting completed.
Hi Guys, I am getting below mentioned error when doing curl and SSL handshake is also note getting completed. Only client Hello is being send.Can any one please suggest what error it can be?
successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to
- Kevin_Stewart
Employee
If you're not getting the ServerHello message, it's very likely that the ClientHello doesn't contain any ciphers that the server (F5) can use. It would be useful to do an ssldump to view this transaction in more detail:
ssldump -AdNn -i [client-side VLAN] port 443 [and any additional filters]And do you have any special settings applied to the client SSL profile here?
youssef1Cumulonimbus
Hi Nilesh,
Before using this command:
ssldump -nr /var/tmp/www-ssl-client.cap
You have to capture traffic:
cpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host xxx.xxx.xxx.xxx and port 443
As you told before your VS is in L4 so the handshake ssl is done with your backend server (Between Client and backend server, F5 don't intercept ssl traffic). so is not F5 that sending SSLv3, TLS handshake, Client hello (1): to server.
The handshake ssl is done between client and backend server.
So you have 2 solution in order to resolve your issue. intercept traffic (SSL interception in F5) or talk with app owner in order to modify his Cipher/protocol.
regards
- Kevin_Stewart
Nilesh,
Youssef is giving you an example where the VLAN is named "external". The "-i" in tcpdump indicates the interface or VLAN name. So in your case it'd be whatever VLAN name you're listening for traffic. Presumably you have separate client-side and server-side VLANs, so you should tcpdump on each of these.
