Forum Discussion

chester_16314's avatar
chester_16314
Icon for Nimbostratus rankNimbostratus
Aug 08, 2013

SSL Read Error

I have a strange problem that I'm trying to sort out. I have a vendor (Mandrill) that is POSTing a webhook to a site that I have sitting behind my BigIP. BigIPis managing the certificate for the client, there is no server-side cert.

 

This system supports several vendors posting to the same site. This one is slightly different in that it is posting a JSON payload as an encoded URL form field versus just a JSON post.

 

Anyway, the vendor keeps failing on "SSL read: error:00000000:lib(0):func(0):reason(0), errno 104". Since the F5 is hosting the SSL and since I've tried everything else...I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.

 

If I download the content and manually post with curl it works. I've seen this error elsewhere, I'm wondering if there's something I need to allow for given their sending system?

 

  • Tried creating a scenario in lab to reproduce the error 'SSL read: error:00000000:lib(0):func(0):reason(0), errno 104' , the one that I used to repro error was to configure BIG-IP to default serverssl (v12.1.2) which does not have sslv3 to use and configured server to only accept sslv3.

     

    Tested with curl and managed to get the exact same message in output

     

    GET / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: 1.1.1.6 Accept: /

     

    • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
    • Closing connection 0

    I suppose this would apply even when there is no cipher supported by the destination server that is offered by the client.

     

    Capturing the data on the wire if you should see server responding to client hello with a handshake failure alert then its probably the same condition I tested on.

     

  • Thank you for the above link pointing to the curl version. We have the same problem with the same vendor. Has anyone found a solution on the F5 side?

     

  • I'm experiencing the same SSL error when trying to use a URI rewrite profile, or an iRule to replace the host header. As soon as I apply either I start getting this SSL read error: SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Empty reply from server Closing connection 0

     

  • The SSL read error may actually be an artifact of another issue. Can you check the LTM log for errors (/var/log/ltm).

     

  • I have the same issue.

     

    I have a VIP that is doing SSL offload. In the normal run of things it works fine.

     

    However, I Have an iRule which uses HTTP:respond in certain circumstances to inject a cookie.

     

    When this functionality kicks in I get in a curl:

     

    • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
    • Closing connection 0

    The iRule works fine under the non HTTPS version of the VIP. It works fine on my lab box, just nto int he live environment.

     

    This is running 11.4.1

     

    • third_eye_13875's avatar
      third_eye_13875
      Icon for Nimbostratus rankNimbostratus
      Hey, did you find anything about this? I think we have a similiar problem...
  • Do you know their IP space? Maybe you can just keep the capture running (covertly) while they're testing. You have the private key so you should still be able to see the handshake data.
  • Thanks Kevin, I'd like to do that-- but when I run a curl I haven't any issues. The vendor site has the issue and they've yet to admit any issue on their side.

     

  • I would recommend running an SSLDUMP on the client side interface to see what's going on in the handshake.

     

     

    ssldump - k [path to client SSL profile's private key] -i 0.0 -AnNd port 443 [and any other TCPDUMP-style filters]