Forum Discussion
Alright, back again. We had a 4200 unit lying around which was recently reclaimed from another location. I've wiped it clean and upgraded the software to BIG-IP 15.1.0 Build 0.0.31 Final. I've duplicated the VIP setup from lat time and appending in the C3D pieces to the client/server ssl profiles. I seem to be stuck at the client cert handshake:
New TCP connection #3: 10.93.169.32(57353) <-> 10.144.20.10(443)
3 1 0.0515 (0.0515) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
extensions
server_name
status_request
supported_groups
ec_point_formats
SessionTicket
extended_master_secret
Unknown extension (0x18)
renegotiation_info
3 2 0.0526 (0.0010) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
cf e2 d9 64 73 36 1d d9 56 ca c2 8c 7b 9e 65 82
b8 b5 15 06 e3 01 d1 9a 1a 6c 08 82 8b 6e f5 d0
cipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
compressionMethod NULL
extensions
renegotiation_info
ec_point_formats
extended_master_secret
3 3 0.0526 (0.0000) S>C Handshake
Certificate
3 4 0.0526 (0.0000) S>C Handshake
ServerKeyExchange
3 5 0.0526 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types ecdsa_sign
3 6 0.0526 (0.0000) S>C Handshake
ServerHelloDone
3 7 0.1059 (0.0533) C>S Handshake
Certificate
ClientKeyExchange
CertificateVerify
3 8 0.1059 (0.0000) C>S ChangeCipherSpec
3 9 0.1059 (0.0000) C>S Handshake
3 10 0.1063 (0.0003) S>C Alert
level fatal
value handshake_failure
3 0.1063 (0.0000) S>C TCP FIN
3 0.1342 (0.0279) C>S TCP FIN
New TCP connection #4: 10.93.169.32(57354) <-> 10.144.20.10(443)
4 0.0203 (0.0203) C>S TCP FIN
4 0.0203 (0.0000) S>C TCP FIN
(cfg-sync Standalone)(Active)(/Common)(tmos)#
- Simon_BlakelyFeb 06, 2020Employee
You probably need to capture both the client and server-side handshakes at the same time.
You may be getting a server-side authentication failure when the forged certificate is passed to the pool member.