Forum Discussion
SSL protocol mismatch
- Oct 05, 2023
irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.
To confirm the issue is with the TLS cipher negociation between the client and the VS, you should get a ssldump. Overview of packet tracing with the ssldump utility (f5.com)
The client hello part of the dump will show you what cipehrs are supported by the client, you can then cross check them with the 'DEFAULT' ciphers
- irbkOct 05, 2023Cirrus
This is interesting, with the SSL Profile (Client) and SSL Profile (Server) setup, doing a TCPdump capturing only the VS IP, I see 9 packets, none of which are a SSL/TLS negotation. So it's like they aren't even trying the TLS communication or the communication is dying when they try to start the negotation.
If I just have the SSL passthrough (IE "Performance (Layer4)") the connection succeeds and I cearly see the TLS negotation taking place.
- Amine_KadimiOct 05, 2023MVP
It's not easy to tell from a tcpdump output that there is any ssl negotiation happening unless you export it to wireshark. I would definitely see what ssldump output looks like
- irbkOct 05, 2023Cirrus
Oh, yeah, I exported the TCP dump direct to wireshark and it's absoultely clear that there is no TLS communication taking place. According to what I'm understanding Paulius is saying below, in an SSL Bridging mode, the F5 can't handle SSL and non-SSL traffic on the same port, which is exactly how this application communicates.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com