Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL handshake unsupported ciphers

Ram_T_S
Altostratus
Altostratus

Hi Team,

 

I'm running a VS on port 443 and backend nodes on port 8080.

ClientSSL and SERVERSSL is configured.

The monitoring is generic tcp on 8080 and it's good too.

There is a page in backend node, /server/login

When I try to curl -v -k https://10.1.1.1:8080/server/login it's failing. But if I open it with the VIP URL https//10.1.2.1/server/login it's working fine.

I did the packet capture between Self IP and the backend node, the SSLDUMP output shows unsupported ciphers in ServerHello. I thought the backend node is not supporting the https and try removing the serverssl, but as soon as I remove it the VIP stops working.

Need a experts view to find the cause of this

6 REPLIES 6

neeeewbie
MVP
MVP

you can check support cipher on F5

https://support.f5.com/csp/article/K15194

 

You need matching cipher with servers

boneyard
MVP
MVP

was this solved for you RAM T S?

Ram_T_S
Altostratus
Altostratus

Hi Thanks for the reply,

I will compare with the server side ciphers, but i'm curious to understand how it is working for now. Because the handshake is rejected if I CURL from the F5, but the monitor is UP and clients are able to access the same page.

 

well curl can use different ciphers then the big-ip health monitor. in your case you say the health monitor is tcp on 8080 so the health monitor isn't even using a cipher.

 

your client traffic will be handled by the server SSL profile, which can also use different ciphers or tls version then curl.

As for an explanation why it might work now.

For monitoring with TCP and making a test with curl, please don't take any offense, but you are comparing apples and pears. A TCP monitor will check if whatever service responds on port 8080, HTTP protocol is not involved at all. Curl will send an actual HTTP request and you will see the HTTP server response.

 

Can you check, maybe there is an iRule that would disable SSL on the server side under certain circumstances? Something matching this string?

SSL::disable serverside

 

 

Ram_T_S
Altostratus
Altostratus

Thanks for the response guys

Now it makes sense for me, i was confused why it's failing only for CURL. Now clear thanks once again.

Fyi: No iRule with the String mentioned