Forum Discussion
Oleg_68955
Nimbostratus
NimbostratusSSL issue with LTM
Hi there,
I have a problem configuring a pool on our LTM using port 443. I'm new to Big-IP, but there's no one in the company that can help me with that issue, so I post here. Excuse me if that'...
dd007_132137Nimbostratus
NimbostratusI am seeing the same error from curl as Oleg posted. I also have auto-map selected in my SNAT pool. Here's the error:
About to connect() to dd-test.api.devabcdcentral.com port 443 (0)
* Trying 10.162.143.11...
* connected
* Connected to dd-test.api.devabcdcentral.com (10.162.143.11) port 443 (0)
* successfully set certificate verify locations:
* CAfile: ca.pem
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=Missouri; L=Kansas CIty; O=abcd Corporation; CN=*.api.devabcdcentral.com
* start date: 2013-02-25 17:23:45 GMT
* expire date: 2015-02-26 00:57:04 GMT
* subjectAltName: dd-test.api.devabcdcentral.com matched
* issuer: C=US; O=Entrust, Inc.; OU=www.entrust.net/rpa is incorporated by reference; OU=(c) 2009 Entrust, Inc.; CN=Entrust Certification Authority - L1C
* SSL certificate verify ok.
> POST /collector/dropbox?datatype=test HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: dd-test.api.devabcdcentral.com
> Accept: */*
> Content-Length: 5746
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=----------------------------8e653031b25f
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
The command I am trying is:
curl https://dd-test.api.devabcdcentral.com/collector/dropbox?datatype=test -F myFile=@pom.xml -v --key key.pem --cacert ca.pem --cert client.pem:ddtestCould someone please share some pointers on what could be wrong here? Just fyi, my iRule looks like this:
when HTTP_REQUEST {
if {([string tolower [HTTP::host]] equals "collector.api.devabcdcentral.com")} {
log local0. "I'm in your lost section logging your iRulez"
}
}
when RULE_INIT {
set static::tlsdebug 1
set static::cert_cache_time 3600
log local0. "********** I'm in new collector endpoints' iRule (0) ************ $static::cert_cache_time"
}
When a client starts the handshake, fall back to ignore mode this is for renegotiating an authenticated session.
when CLIENTSSL_CLIENTHELLO {
set sn [session lookup ssl [SSL::sessionid]]
log local0. "********** I'm in new collector endpoints' iRule (1) ************ $sn"
if {not ([info exists reneg]) || $reneg == 0} {
SSL::cert mode ignore
log local0. "********** Ignoring cert mode ************"
}
}
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
Set the serial number for this request and stash it in session.
set sn [string map {"" ""} [X509::serial_number [SSL::cert 0]]]
session add ssl [SSL::sessionid] $sn $static::cert_cache_time
Release the collected transaction.
HTTP::release
}
set reneg 0
}