For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
Mar 29, 2019

Virtual Server with TLS1.3

Hi team,

I have a lab in version 14.1.0.1. I'm trying to deploy a virtual server which handels http over tls version 1.3 (ssl offloading).

However when I access my virtual server I receive the following error messge in my browser (firefox 66.0.2 64bit):

 

An error occurred during a connection to 10.10.245.80. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ

 

In /var/log/ltm :

 

Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260013:4: SSL Handshake failed for TCP 10.10.0.1:50827 -> 10.10.245.80:443
Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260009:4: Connection error: ssl_basic_crypto_cb:691: Decryption error (20)

 

I can provide the pcap while accessing the virtual server. The client side SSL handshake does not succeed. The client seems to not accept bigip's response. I first thought that was a browser issue but with the same browser I'm able to access https://tls13.crypto.mozilla.org/ which is tls1.3 only website. Moreover, the same ciphers were choosen in both handshakes TLS_AES_128_GCM_SHA256 (0x1301).

Here is my config :

 

ltm virtual /Common/http_vs {
    creation-time 2019-03-22:14:25:44
    destination /Common/10.10.245.80:443
    ip-protocol tcp
    last-modified-time 2019-03-29:15:33:08
    mask 255.255.255.255
    pool /Common/http_pool
    profiles {
        /Common/http { }
        /Common/kabe_clientssl {
            context clientside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

ltm profile client-ssl /Common/kabe_clientssl {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/f5-aes
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}

 

Could you please help me understand why the TLS handshake is down ?

Many thanks,

Karim BENYELLOUL

application delivery
LTM
tls1.3

2 Replies

  • Rico's avatar
    Rico
    Icon for Cirrus rankCirrus
    Mar 31, 2019

    According to this thread, it seems that AES ciphers can cause this error on certain versions. Perhaps this is a similar issue to what you are experiencing. Have you tried changing the cihpers to 3DES to see if that resolves the issue?

     

    Here is a link to the documentation on modifying the cipher string.

     

    If you have any more questions, I am sure I can help.