For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Gagne_1393's avatar
Mike_Gagne_1393
Icon for Nimbostratus rankNimbostratus
Dec 08, 2013

SSL Proxy Firefox Issue

I'm working on a project where we use the F5 BIG-IP (version 10.0.0) Load Balancer to route traffic to two appliances. It's a requirement of ours to use SSL and certificate authentication. We've configured the F5 to use SSL Proxy on the SSL Client and Server profiles. We've set up the certificates correctly (the destination appliances are configured with the same certificate as the F5) and are using the DEFAULT setting for the cipher suite.

 

The issue we're experiencing is that we are unable to successfully connect using Firefox (tested with versions 17 and 24). Firefox seems to try and connect, but always returns a "Connection Timeout" error. Surprisingly, IE (9 and 10) works great. The F5 logs do complain about an SSL Handshake error and that a certain cipher (can't remember which one) isn't supported.

 

We tried a few suggestions we found on the forum, but none seemed to work. Here's what we tried: * In Firefox, going to Advanced -> Network -> Settings and toggling "No Proxy", "Auto-detect..", and "Use system proxy settings" * Disabling all add-ons and plugins * In Firefox, going to about:config and enabling every SSL cipher * Clearing the cache and all cookies

 

So I'm hoping someone out there has experienced the same issue as us. Any and all suggestions are welcome at this point as we are totally out of things to try.

 

Thanks!

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
security
TMSH

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 08, 2013

    The issue, as you've alluded, is that ProxySSL (more specifically LTM) does not support the ciphers that the client and server are trying to negotiate. Significant improvements were made to ProxySSL in version 11.3 HF5. It's still not perfect, nor does it yet support all of the ciphers, but it should work with the latest Firefox.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 08, 2013

    The issue is that Firefox will natively attempt to negotiate a cipher that the LTM doesn't support (ex. DH, EDH, etc.). Yes there are comparable ciphers between the two, but if the initial cipher selection isn't supported by the LTM then it will fail closed. IE generally has a smaller list of supported ciphers and just happens to default to ciphers that the LTM supports. The LTM is a silent party to the SSL negotiation between client and server when doing ProxySSL, and as such has no influence over what ciphers are chosen. You could definitely still get it to work, but you'd likely have to modify both the client and the server to negotiate a different set of ciphers, something that isn't really realistic unless you control the clients.

     

    You can actually watch this process and the negotiated ciphers with an ssldump and the private key used in the ProxySSL client and server SSL profiles.

     

    Version 11 has added quite a few new ciphers and HF5 actually fixed a bug with ProxySSL and SSL renegotiation, and reportedly more ciphers are coming.