Forum Discussion

chester_16314's avatar
chester_16314
Icon for Nimbostratus rankNimbostratus
Aug 08, 2013

SSL Read Error

I have a strange problem that I'm trying to sort out. I have a vendor (Mandrill) that is POSTing a webhook to a site that I have sitting behind my BigIP. BigIPis managing the certificate for the client, there is no server-side cert.

 

This system supports several vendors posting to the same site. This one is slightly different in that it is posting a JSON payload as an encoded URL form field versus just a JSON post.

 

Anyway, the vendor keeps failing on "SSL read: error:00000000:lib(0):func(0):reason(0), errno 104". Since the F5 is hosting the SSL and since I've tried everything else...I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.

 

If I download the content and manually post with curl it works. I've seen this error elsewhere, I'm wondering if there's something I need to allow for given their sending system?

 

app sec
BIG-IP Access Policy Manager (APM)
security

11 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 08, 2013
    I would recommend running an SSLDUMP on the client side interface to see what's going on in the handshake.

     

     

    ssldump - k [path to client SSL profile's private key] -i 0.0 -AnNd port 443 [and any other TCPDUMP-style filters]

     

  • chester_16314's avatar
    chester_16314
    Icon for Nimbostratus rankNimbostratus
    Aug 09, 2013

    Thanks Kevin, I'd like to do that-- but when I run a curl I haven't any issues. The vendor site has the issue and they've yet to admit any issue on their side.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 09, 2013
    Do you know their IP space? Maybe you can just keep the capture running (covertly) while they're testing. You have the private key so you should still be able to see the handshake data.
    • third_eye_13875's avatar
      third_eye_13875
      Icon for Nimbostratus rankNimbostratus
      Mar 11, 2014
      Hey, did you find anything about this? I think we have a similiar problem...
  • Matt_Elkington's avatar
    Matt_Elkington
    Icon for Nimbostratus rankNimbostratus
    May 20, 2014

    I have the same issue.

     

    I have a VIP that is doing SSL offload. In the normal run of things it works fine.

     

    However, I Have an iRule which uses HTTP:respond in certain circumstances to inject a cookie.

     

    When this functionality kicks in I get in a curl:

     

    • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
    • Closing connection 0

    The iRule works fine under the non HTTPS version of the VIP. It works fine on my lab box, just nto int he live environment.

     

    This is running 11.4.1

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 20, 2014

    The SSL read error may actually be an artifact of another issue. Can you check the LTM log for errors (/var/log/ltm).

     

  • tyrel_130997's avatar
    tyrel_130997
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2015

    I'm experiencing the same SSL error when trying to use a URI rewrite profile, or an iRule to replace the host header. As soon as I apply either I start getting this SSL read error: SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Empty reply from server Closing connection 0

     

  • john_thedude_34's avatar
    john_thedude_34
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2017

    Thank you for the above link pointing to the curl version. We have the same problem with the same vendor. Has anyone found a solution on the F5 side?

     

  • irig4u_152672's avatar
    irig4u_152672
    Icon for Nimbostratus rankNimbostratus
    Jan 05, 2018

    Tried creating a scenario in lab to reproduce the error 'SSL read: error:00000000:lib(0):func(0):reason(0), errno 104' , the one that I used to repro error was to configure BIG-IP to default serverssl (v12.1.2) which does not have sslv3 to use and configured server to only accept sslv3.

     

    Tested with curl and managed to get the exact same message in output

     

    GET / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: 1.1.1.6 Accept: /

     

    • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
    • Closing connection 0

    I suppose this would apply even when there is no cipher supported by the destination server that is offered by the client.

     

    Capturing the data on the wire if you should see server responding to client hello with a handshake failure alert then its probably the same condition I tested on.