For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Yates's avatar
Michael_Yates
Icon for Nimbostratus rankNimbostratus
Jun 03, 2011

SSL Renegotiation Error - HTTPS Health Check?

Has anyone experienced an SSL Renegotiation Error being caused by an HTTPS Health Check?

 

 

[02/Jun/2011:14:27:06] failure ( 5885): for host 10.10.10.2 trying to GET /index.html while trying to GET /, Client-Auth reports: HTTP4026: SSL opera

 

tion failed (SSL_ERROR_RENEGOTIATION_NOT_ALLOWED: SSL renegotiation is not allowed.)

 

[02/Jun/2011:14:27:10] failure ( 5885): for host 10.10.10.3 trying to GET /, Client-Auth reports: HTTP4026: SSL operation failed (SSL_ERROR_RENEGOTIA

 

TION_NOT_ALLOWED: SSL renegotiation is not allowed.)

 

[02/Jun/2011:14:27:10] failure ( 5885): for host 10.10.10.3 trying to GET /index.html while trying to GET /, Client-Auth reports: HTTP4026: SSL opera

 

tion failed (SSL_ERROR_RENEGOTIATION_NOT_ALLOWED: SSL renegotiation is not allowed.)

 

 

 

 

config
design

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 03, 2011
    pool member requires ssl renegotiation, doesn't it?

     

    if so, what bigip version r u running?

     

     

    there is bug id 338150 - https monitor needs ssl renegotiation enabled which is fixed in 10.2.1 hf1.
  • brad_11440's avatar
    brad_11440
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2012
    I may be running into this bug myself... I have an HTTPS monitor that is constantly marking the nodes as down/up again every 20 - 60 seconds. I am running a version that is affected by the bug. What logging settings do you need to have configured for Local Traffic Logging to see this error?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 04, 2012
    What logging settings do you need to have configured for Local Traffic Logging to see this error?i think the log Michael showed is from server.

     

     

    I may be running into this bug myselfi think node should always be marked down if you are hitting that bug. by the way, have you ever tried troubleshooting steps Aaron wrote in the following article?

     

     

    Troubleshooting Ltm Monitors by Aaron

     

    http://devcentral.f5.com/wiki/AdvDesignConfig.TroubleshootingLtmMonitors.ashx

     

     

    hope this helps.
  • brad_11440's avatar
    brad_11440
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2012
    i think node should always be marked down if you are hitting that bug. i thought the bug happened after it was marked up due the initial connection, after the node tried to initiate the renegotiation. the "ssl renegotiation is not allowed" message led me to believe it was on the f5, since the VIP had ssl renegotiation disabled to fix the tls vulnerability.

     

    by the way, have you ever tried troubleshooting steps Aaron wrote in the following article? Nope, I haven't seen that article yet. Curl looks like it could set me free, potentially. I'll give it a shot, thanks!