Forum Discussion

Cirrus

Oct 04, 2023

SSL protocol mismatch

Ok, I ended up way down a rabbit hole earlier this week. That whole line of thought seemed to be a red herring. BigIP LTM trying to load balance to MS Navision servers which don't use standard 80 o...

application delivery

LTM

ssl

Paulius
Oct 05, 2023
irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.

Amine_Kadimi

MVP

To confirm the issue is with the TLS cipher negociation between the client and the VS, you should get a ssldump. Overview of packet tracing with the ssldump utility (f5.com)

The client hello part of the dump will show you what cipehrs are supported by the client, you can then cross check them with the 'DEFAULT' ciphers

irbk

Cirrus

Oct 05, 2023

This is interesting, with the SSL Profile (Client) and SSL Profile (Server) setup, doing a TCPdump capturing only the VS IP, I see 9 packets, none of which are a SSL/TLS negotation. So it's like they aren't even trying the TLS communication or the communication is dying when they try to start the negotation.

If I just have the SSL passthrough (IE "Performance (Layer4)") the connection succeeds and I cearly see the TLS negotation taking place.

Amine_Kadimi
MVP
Oct 05, 2023
It's not easy to tell from a tcpdump output that there is any ssl negotiation happening unless you export it to wireshark. I would definitely see what ssldump output looks like
- irbk
  Cirrus
  Oct 05, 2023
  Oh, yeah, I exported the TCP dump direct to wireshark and it's absoultely clear that there is no TLS communication taking place. According to what I'm understanding Paulius is saying below, in an SSL Bridging mode, the F5 can't handle SSL and non-SSL traffic on the same port, which is exactly how this application communicates.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SSL protocol mismatch

Recent Discussions

SSL bridging without SSL proxy forward

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

Should config via cli rather than gui?

Related Content

Cipher suite mismatch advertisement/warning

Capture SSL Profile Protocol Stats - Bash

Remote Desktop Protocol (RDP) using an SSL VPN

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Unsupported Snort Keywords in Protocol Inspection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS