Forum Discussion
SSL Read Error
I have a strange problem that I'm trying to sort out. I have a vendor (Mandrill) that is POSTing a webhook to a site that I have sitting behind my BigIP. BigIPis managing the certificate for the client, there is no server-side cert.
This system supports several vendors posting to the same site. This one is slightly different in that it is posting a JSON payload as an encoded URL form field versus just a JSON post.
Anyway, the vendor keeps failing on "SSL read: error:00000000:lib(0):func(0):reason(0), errno 104". Since the F5 is hosting the SSL and since I've tried everything else...I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.
If I download the content and manually post with curl it works. I've seen this error elsewhere, I'm wondering if there's something I need to allow for given their sending system?
- Kevin_StewartEmployeeI would recommend running an SSLDUMP on the client side interface to see what's going on in the handshake.
- chester_16314Nimbostratus
Thanks Kevin, I'd like to do that-- but when I run a curl I haven't any issues. The vendor site has the issue and they've yet to admit any issue on their side.
- Kevin_StewartEmployeeDo you know their IP space? Maybe you can just keep the capture running (covertly) while they're testing. You have the private key so you should still be able to see the handshake data.
- chester_16314Nimbostratus
I'll investigate that--
- third_eye_13875NimbostratusHey, did you find anything about this? I think we have a similiar problem...
- Matt_ElkingtonNimbostratus
I have the same issue.
I have a VIP that is doing SSL offload. In the normal run of things it works fine.
However, I Have an iRule which uses HTTP:respond in certain circumstances to inject a cookie.
When this functionality kicks in I get in a curl:
- SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
- Closing connection 0
The iRule works fine under the non HTTPS version of the VIP. It works fine on my lab box, just nto int he live environment.
This is running 11.4.1
- Kevin_StewartEmployee
The SSL read error may actually be an artifact of another issue. Can you check the LTM log for errors (/var/log/ltm).
- tyrel_130997Nimbostratus
I'm experiencing the same SSL error when trying to use a URI rewrite profile, or an iRule to replace the host header. As soon as I apply either I start getting this SSL read error: SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Empty reply from server Closing connection 0
- Romani_2788Historic F5 Account
I saw this post. It might help. It seems to be related to the version of curl been used. http://www.linuxquestions.org/questions/red-hat-31/rhel5-9-curl-to-https-openssl-heartbleed-issue-4175502112/
- john_thedude_34Nimbostratus
Thank you for the above link pointing to the curl version. We have the same problem with the same vendor. Has anyone found a solution on the F5 side?
- irig4u_152672Nimbostratus
Tried creating a scenario in lab to reproduce the error 'SSL read: error:00000000:lib(0):func(0):reason(0), errno 104' , the one that I used to repro error was to configure BIG-IP to default serverssl (v12.1.2) which does not have sslv3 to use and configured server to only accept sslv3.
Tested with curl and managed to get the exact same message in output
GET / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: 1.1.1.6 Accept: /
- SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
- Closing connection 0
I suppose this would apply even when there is no cipher supported by the destination server that is offered by the client.
Capturing the data on the wire if you should see server responding to client hello with a handshake failure alert then its probably the same condition I tested on.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com