I need suggestion to fix the issue i'm facing.
Device details: Version 12.1.2, Build 1.0.271, Edition Hotfix HF1
1. No Client and Server SSL profile associated to 'Standard' Vs.
2. Pool member is on 443 port and associated HTTPS monitor.
3. Ciphers - DEFAULT:+SHA:+3DES:+kEDH and under 'Client Cert' and 'Client Key' i have tried using different SSL cert. Still same error and same issue in pcap.
4. Im seeing F5 using TLSv1 protocol for 'Client Hello' in PCAP and server is not responding with 'Server Hello', Server send RST message immediately.
Openssl and curl o/p is as below:
>>Used ab.c.d for my pool member IP.
Command 1 - # openssl s_client -connect a.b.c.d:443
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 277 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Command 2: # curl -I https://a.b.c.d/ForwardSearchOrderSend.svc
curl: (35) Unknown SSL protocol error in connection to a.b.c.d:443
Command 3: # curl -Ivk https://a.b.c.d/ForwardSearchOrderSend.svc
* About to connect() to a.b.c.d port 443 (#0)
* Trying a.b.c.d... connected
* Connected to a.b.c.d (a.b.c.d) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to a.b.c.d:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to a.b.c.d:443
5. I have checked below articles- Still no use.
6. To check with server team about server cert, They rasied question about F5 using 'TLS v1' for 'Client Hello'.
7. Server has Private Interface and Public Interface. Via Public Interface HTTP monitor is working for one application. We want to monitor different App using HTTPS via Private interface.
Can someone suggest whats casuing HTTPS to fail as its old version and no SSL profile, im bit confused.
Interesting problem. I have no suggestion but questions.
You say you do not use any client, nor server ssl profiles. In that case the device should not intercept any SSL at all.
However, you also say you use an HTTPS monitor and this one would try to establish a TLS session when connecting to the pool member. A few questions:
Where are the ciphers you mentioned configured? The HTTPS monitor?
Can you run this command to check what Ciphers that equals?
tmm --serverciphers 'DEFAULT:+SHA:+3DES:+kEDH'
I am not sure if 12.1.2 supports TLS1.2 and if the member server is patched and hardened you might have an issue during the cipher negotiation. Try changing the monitor to TCP to rule it out?
Hello Patrik, Thanks for inputs.
Here are details about Ciphers. This confirms we have TLSv1.2 Ciphers too.
>> Where are the ciphers you mentioned configured? The HTTPS monitor?
> In 12.1.2 HTTPS monitor intself has option to mention Cipher and cert. I have mentoned Ciphers there, No SSL cert mentioned. We have few other HTTPS monitors which is working for different servers/pool, i have compared the configurations, its same. Still this HTTPS monitor is not working.
As per Article 12.x has this option and i see in my 12.1.2 F5. https://support.f5.com/csp/article/K51131340
>> Server has Cert associated with Website. F5 sends 'Client Hello' but no server hello at all. Question is why F5 is sending via TLSv1. PCAP attached. After F5 sends Client Hello, 'SERVER' is sending RST as you see.
Any suggestions? What could be causing this issue?
See, in the Client Hello packet includes the list of protocol and ciphers that the client supports. My suspicion from the things you wrote above would be that the device (F5 BigIP) does not support the ciphers that the server requires.
Perhaps you can confirm this by checking the server config or run the tests from a functioning client and determine one of the supported ciphers from there. If you have no functioning client perhaps looking at the server SSL config would be in order.
'Client hello' has same ciphers and Verson when compared with working and non-working. PFA snap. There are working HTTPS monitor. If you see previous snap, F5 Client Hello is via TLSv1. Why is that? There is no Server SSL profile, so In 12.1.2 version where can we control procol for SSL for HTTPS monitor?
Left-Non Working --- Right-Working.
Sorry for the short reply, I'm not by my PC. Working and not working above is two different servers and the f5 is the client right?
What I was requesting was a Server hello from the one that does not respond to the F5s monitors, but from another more modern client, like a Linux server with a newer version of curl.
This issue could also be missning SNI info in the F5 monitor requests. I'd focus on the server cipher settings and I'd also check if the server needs SNI To route requests to the correct service.
>> Working and not working above is two different servers and the f5 is the client right?
--- Yes. 2 different pool member, same F5 client. Related to 2 different VIP. Both using HTTPS monitor.
>>This issue could also be missning SNI info in the F5 monitor requests. I'd focus on the server cipher settings and I'd also check if the server needs SNI To route requests to the correct service.
> Thanks for this, Im checking Ciphers. We dont have serverssl profile. How do we use SNI here?
>> If far end server doenst have ciphers which we support, do we get 'Server Hello' or we get RST? I just got confirmed with server team that same certificate is installed on server for 4 Apps. HTTPS connections working for other HTTPS communications. But not for F5 HTTPS monitor.
>> If i change the monitor to TCP, it works, URL is accesible via HTTPS. Its just that F5 HTTPS monitor not working.
Suggestions to check further are welcome.
25-Aug-2022 09:17 - edited 25-Aug-2022 14:23
On my mobile again. You're confusing ciphers with certificates.
Very simplified but think of if it as certificates being the secrets and the ciphers as the method of how these secrets are exchanged and how they're encrypted.
Thus a servers can use the same certificates but use different ways of handling the key exchange.
You're using an old version of TMOS and you need to figure out why the server does not accept your TLS handshake.
The best way to do that would be to check these things:
You can see at least one of the server ciphers by doing the following:
Again, you're running an old version and a quick Googling told me that SNI support did not come until v13.
Good luck with the hmcioher hunt. Looking forward to the solution to this mystery!
Don't leave me hanging now. Any updates? 🙂
Still waiting buddy. 🙂
Sorry my friend. Above observation is sent to IIS server team. They sent to MS for analysis. Once i grave update i will provide here. As of now its server side issue wt i understand.