Jan 11, 2017
SSL Profile Handshake/Failure statistics (such fun, must look, so much question)
Hi!
Fair warning, long post TLDR; = "How to decipher SSL profile statistics"
Looking at the SSL profile handshake statistics and trying to decipher what they mean. It feels a bit like looking at a triple rainbow!
There's more of them, but I'll focus on a few to make it manageable:
Certificates/Handshakes
Valid Certificates 0
Invalid Certificates 0
No Certificates 0
Mid-Connection Handshakes 0
Secure Handshakes 0
Current Active Handshakes 0
Insecure Handshakes Accepted 0
Insecure Handshakes Rejected 0
Insecure Renegotiations Rejected 0
Mismatched Server Name Rejected 0
Failures
Premature Disconnects 0
Handshake Failures 0
Renegotiations Rejected 0
Aggregate Renegotiations Rejected 0
Fatal Alerts 0
Active Handshakes Rejected 0
Found some articles on the topic:
Thought I really found the answer here as the "Help" tab in the web ui is generally pretty awesome. But not in this case:
Certificates/Handshakes
Displays certificate and SSL handshake data for Client SSL profile traffic.
https://devcentral.f5.com/articles/ssl-profiles-part-1
This series is really awesome. Props to John and Jason!
On to some theories (and answers from F5):
Certificates/Handshakes
Valid Certificates - Valid client certificates
Invalid Certificates - Invalid client certificates
No Certificates - No client certificate presented
Mid-Connection Handshakes - Successful renegotiations show up under the "Certificates/Handshakes" heading under the "Mid-Connection Handshakes" field.
Secure Handshakes - A patched client
Current Active Handshakes - SSL sessions being established right now
Insecure Handshakes Accepted - An unpatched client. First connection accepted (Profile is Request or Require).
Insecure Handshakes Rejected - An unpatched client. First connection rejected (Profile is Request Strict).
Insecure Renegotiations Rejected - An unpatched client. First renegotiation attempt rejected (Profile is Require).
Failures
Mismatched Server Name Rejected - ?
Premature Disconnects - Session not closed gracefully
Handshake Failures - Client and server not able to agree on a cipher
Renegotiations Rejected - Escalated within F5
Aggregate Renegotiations Rejected - Escalated within F5
Fatal Alerts - For Fatal alert the reason can be very different, for example no common ciphers for client and server, client does not send client cert when client authentication is enabled on BigIP, maximum number of allowed handshakes configured had been reached, or timer that kicks in after 3WHS is completed and if SSL handshake does not complete after the value configured then SSL Handshake Timeout Exceeded, Fatal Alert is sent and connection is reset by BIG-IP.
Active Handshakes Rejected - Currently rejected handshakes?
Records
In - Self explaining
Out - Self explaining
Bad - Escalated within F5
DTLS Tx Pushbacks - Escalated within F5
References:
Any input is welcome. Together we might be able to "decipher" this. 🙂
/Patrik