Forum Discussion
See, in the Client Hello packet includes the list of protocol and ciphers that the client supports. My suspicion from the things you wrote above would be that the device (F5 BigIP) does not support the ciphers that the server requires.
Perhaps you can confirm this by checking the server config or run the tests from a functioning client and determine one of the supported ciphers from there. If you have no functioning client perhaps looking at the server SSL config would be in order.
Kind regards,
Patrik
>> If far end server doenst have ciphers which we support, do we get 'Server Hello' or we get RST? I just got confirmed with server team that same certificate is installed on server for 4 Apps. HTTPS connections working for other HTTPS communications. But not for F5 HTTPS monitor.
>> If i change the monitor to TCP, it works, URL is accesible via HTTPS. Its just that F5 HTTPS monitor not working.
Suggestions to check further are welcome.
- Aug 25, 2022
On my mobile again. You're confusing ciphers with certificates.
Very simplified but think of if it as certificates being the secrets and the ciphers as the method of how these secrets are exchanged and how they're encrypted.
Thus a servers can use the same certificates but use different ways of handling the key exchange.
You're using an old version of TMOS and you need to figure out why the server does not accept your TLS handshake.
The best way to do that would be to check these things:
- Which cipher suite is the server using?
- Does it depend on SNI?
You can see at least one of the server ciphers by doing the following:
- Set the monitor to TCP
- Determine at least one cipher by capturing the session or by using the script that this clever guy wrote: https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers
Again, you're running an old version and a quick Googling told me that SNI support did not come until v13.
Good luck with the hmcioher hunt. Looking forward to the solution to this mystery!
- Aug 27, 2022
Don't leave me hanging now. Any updates? 🙂
- Sep 09, 2022
Still waiting buddy. 🙂
/Patrik