Forum Discussion

Karim's avatar
Karim
Icon for Cirrostratus rankCirrostratus
Mar 29, 2019

Virtual Server with TLS1.3

Hi team,

I have a lab in version 14.1.0.1. I'm trying to deploy a virtual server which handels http over tls version 1.3 (ssl offloading).

However when I access my virtual server I receive the following error messge in my browser (firefox 66.0.2 64bit):

 

An error occurred during a connection to 10.10.245.80. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ

 

In /var/log/ltm :

 

Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260013:4: SSL Handshake failed for TCP 10.10.0.1:50827 -> 10.10.245.80:443
Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260009:4: Connection error: ssl_basic_crypto_cb:691: Decryption error (20)

 

I can provide the pcap while accessing the virtual server. The client side SSL handshake does not succeed. The client seems to not accept bigip's response. I first thought that was a browser issue but with the same browser I'm able to access https://tls13.crypto.mozilla.org/ which is tls1.3 only website. Moreover, the same ciphers were choosen in both handshakes TLS_AES_128_GCM_SHA256 (0x1301).

Here is my config :

 

ltm virtual /Common/http_vs {
    creation-time 2019-03-22:14:25:44
    destination /Common/10.10.245.80:443
    ip-protocol tcp
    last-modified-time 2019-03-29:15:33:08
    mask 255.255.255.255
    pool /Common/http_pool
    profiles {
        /Common/http { }
        /Common/kabe_clientssl {
            context clientside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

ltm profile client-ssl /Common/kabe_clientssl {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/f5-aes
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}

 

Could you please help me understand why the TLS handshake is down ?

Many thanks,

Karim BENYELLOUL

application delivery
LTM
tls1.3
  • Rico's avatar
    Rico
    Icon for Cirrus rankCirrus
    Mar 31, 2019

    According to this thread, it seems that AES ciphers can cause this error on certain versions. Perhaps this is a similar issue to what you are experiencing. Have you tried changing the cihpers to 3DES to see if that resolves the issue?

     

    Here is a link to the documentation on modifying the cipher string.

     

    If you have any more questions, I am sure I can help.