TLS 1.3 and BIG-IP Virtual Edition - BEST

Question

Has there been any changes in the way TLS 1.3 is configured in AWS BEST AMIs after 15.0.1.1 0.0.3 build. Same config works fine with no error on F5 BIG-IP Virtual Edition - BEST 15.0.1.1 0.0.3 and F5 BIG-IP Virtual Edition - GOOD 15.1.0.4 0.0.6 but not for F5 BIG-IP Virtual Edition - BEST 15.1.0.4 0.0.6.

I'm getting the below error:

curl -v -k https://20.0.5.25/30KB.htm

* Trying 20.0.5.25...

* TCP_NODELAY set

* Connected to 20.0.5.25 (20.0.5.25) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/certs/ca-certificates.crt

CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):

* TLSv1.3 (IN), TLS handshake, Unknown (8):

* TLSv1.3 (OUT), TLS alert, Server hello (2):

* error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

* stopped the pause stream!

* Closing connection 0

curl: (35) error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

andrew-f5 · Answer

Can you try openssl s_client?openssl s_client -tls1_3 -connect 20.0.5.25:443

ntinos · Answer

Here you are:#openssl s_client -tls1_3 -connect 20.0.5.25:443CONNECTED(00000005)depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=18:self signed certificateverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=26:unsupported certificate purposeverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=10:certificate has expirednotAfter=Jan 30 23:58:24 2020 GMTverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGnotAfter=Jan 30 23:58:24 2020 GMTverify return:1139621769810368:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677:---Certificate chain&nbsp;0 s:C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;&nbsp;i:C = US, ST = CA, O = Ntinos, CN = ANG---Server certificate-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----subject=C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;issuer=C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;---No client certificate CA names sentServer Temp Key: X25519, 253 bits---SSL handshake has read 1463 bytes and written 240 bytesVerification error: certificate has expired---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 2048 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 10 (certificate has expired)---

lidev · Answer

Hi Ntinos,Your openssl test reveals that your certificate has expired (Verify return code: 10 (certificate has expired), renews the certificate and this should make it work better😉

ntinos · Answer

Why does this happen only on TLS 1.3 and 1.5.1 BEST? TLS 1.2 works fine.

lidev · Answer

Have you try the same test (openssl s_clien)t but with tls1.2 to see if the result is the same (certificate expired)?openssl s_client -tls1_2 -connect 20.0.5.25:443

Forum Discussion

TLS 1.3 and BIG-IP Virtual Edition - BEST

10 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

PCI Compliance and ASM

irule for redirect and header injection

What happens if I activate only ASM without provisioning LTM?

Implement load balancing solution with constraints

How to Block Source IP for 24 Hours After TPS Violation (F5 DoS / iRule / SSL Proxy Setup)

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Automating Certificate Management on F5 BIG-IP

Installing BIG-IP Next on Nutanix Community Edition

Deploying F5 BIG-IP Virtual Edition on VMware Fusion

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS