cancel
Showing results for 
Search instead for 
Did you mean: 

Proxy SSL unavailable suite (47) issue

レザ
Altostratus
Altostratus

Hi,

I'm trying to configure Proxy SSL for our company https website. I have imported required certificate and private key in Trrafic Certificate Management section, also created ssl client and server profiles, assign corresponding certificate and key that i have imported, and checked Proxy SSL on both of these profiles, but when i assign these profiles to VirtualServer, i get following error on my browser (firefox):

 

 

Secure Connection Failed
An error occurred during a connection to www.xyz.com. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

 

 

also i get following messages in /var/log/ltm file

 

 

Aug 27 16:01:55 bigip1 err tmm2[15521]: 01260025:3: Cipher c014:3 negotiated is not supported by Proxy SSL configured in virtual server ...
Aug 27 16:01:55 bigip1 err tmm2[15521]: Connection error: ssl_hs_pxy_scan:14123: unavailable suite (47)
Aug 27 16:01:55 bigip1 warning tmm2[15521]: 01260013:4: SSL Handshake failed for TCP a.a.a.a:443 -> b.b.b.b:60013 (Server -> Self)
Aug 27 16:01:55 bigip1 warning tmm2[15521]: 01260013:4: SSL Handshake failed for TCP c.c.c.c:60013 -> d.d.d.d:443 (Client -> VIP)

 

 

This is the first time I want to do SSL Proxy and I think I misconfigured something in the settings.

Thanks

2 REPLIES 2

Hello,

what software version you are running? as per the below article, "SSL handshakes will fail when the client requests to use the TLS 1.1 or TLS 1.2 protocol through the Proxy SSL-enabled virtual server" this is an old software version, and that's why I'm asking about the current version used.

KB: https://support.f5.com/csp/article/K14571

Also, please check the below article for SSL cihpher negotiation and recommendations sections:

https://support.f5.com/csp/article/K13385

 

BR,

MSalah

Kevin_Stewart
F5 Employee
F5 Employee

Cipher C014 corresponds to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

ProxySSL only works with non-PFS ciphers (ie. only ciphers with RSA handshakes). ProxySSL cannot be used with DH, DHE, ECC, or any TLS 1.3. 

Can you elaborate on why you need to use ProxySSL?