Forum Discussion

Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Jan 11, 2017

SSL Profile Handshake/Failure statistics (such fun, must look, so much question)

Hi!

Fair warning, long post TLDR; = "How to decipher SSL profile statistics"

Looking at the SSL profile handshake statistics and trying to decipher what they mean. It feels a bit like looking at a triple rainbow!

There's more of them, but I'll focus on a few to make it manageable:

Certificates/Handshakes
  Valid Certificates                                                0
  Invalid Certificates                                              0
  No Certificates                                                   0
  Mid-Connection Handshakes                                         0
  Secure Handshakes                                                 0
  Current Active Handshakes                                         0
  Insecure Handshakes Accepted                                      0
  Insecure Handshakes Rejected                                      0
  Insecure Renegotiations Rejected                                  0
  Mismatched Server Name Rejected                                   0
Failures
  Premature Disconnects                                             0
  Handshake Failures                                                0
  Renegotiations Rejected                                           0
  Aggregate Renegotiations Rejected                                 0
  Fatal Alerts                                                      0
  Active Handshakes Rejected                                        0

Found some articles on the topic:

Thought I really found the answer here as the "Help" tab in the web ui is generally pretty awesome. But not in this case:

Certificates/Handshakes
Displays certificate and SSL handshake data for Client SSL profile traffic.

https://devcentral.f5.com/articles/ssl-profiles-part-1

This series is really awesome. Props to John and Jason!

On to some theories (and answers from F5):

Certificates/Handshakes
  Valid Certificates - Valid client certificates
  Invalid Certificates - Invalid client certificates
  No Certificates - No client certificate presented
  Mid-Connection Handshakes - Successful renegotiations show up under the "Certificates/Handshakes" heading under the "Mid-Connection Handshakes" field.
  Secure Handshakes - A patched client
  Current Active Handshakes - SSL sessions being established right now
  Insecure Handshakes Accepted - An unpatched client. First connection accepted (Profile is Request or Require). 
  Insecure Handshakes Rejected - An unpatched client. First connection rejected (Profile is Request Strict).
  Insecure Renegotiations Rejected - An unpatched client. First renegotiation attempt rejected (Profile is Require).
Failures
  Mismatched Server Name Rejected - ?
  Premature Disconnects - Session not closed gracefully
  Handshake Failures - Client and server not able to agree on a cipher
  Renegotiations Rejected  - Escalated within F5
  Aggregate Renegotiations Rejected - Escalated within F5
  Fatal Alerts - For Fatal alert the reason can be very different, for example no common ciphers for client and server, client does not send client cert when client authentication is enabled on BigIP, maximum number of allowed handshakes configured had been reached, or timer that kicks in after 3WHS is completed and if SSL handshake does not complete after the value configured then SSL Handshake Timeout Exceeded, Fatal Alert is sent and connection is reset by BIG-IP.
  Active Handshakes Rejected - Currently rejected handshakes?

Records
  In - Self explaining                             
  Out - Self explaining         
  Bad - Escalated within F5
  DTLS Tx Pushbacks - Escalated within F5

References:

  1. https://devcentral.f5.com/questions/insecure-handshakes-accepted
  2. CVE-2009-3555 more information here

Any input is welcome. Together we might be able to "decipher" this. 🙂

/Patrik

BIG-IP
devops
LTM
ssl profile statistics

4 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 11, 2017

    I had a look in tmsh, I guess the content there is similar to what you have in the help via GUI:

    tmsh help ltm profile client-ssl

    Nothing useful in the tmsh manual for v12.

    If you have a valid case where you need to know the information, open a case with F5 support. Maybe someone have asked this before, so they just need to copy from another case (and maybe create an askf5 solution). Otherwise it may get escalated up to Product Development, as they are the final authority about the software.

    About the rainbow, I did learn something new today. :P I didn't know was possible to have 2, and the video matches the description of colors in the wikipedia.

    https://en.wikipedia.org/wiki/Rainbow

    "In a primary rainbow, the arc shows red on the outer part and violet on the inner side. This rainbow is caused by light being refracted when entering a droplet of water, then reflected inside on the back of the droplet and refracted again when leaving it.

    In a double rainbow, a second arc is seen outside the primary arc, and has the order of its colours reversed, with red on the inner side of the arc."

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Feb 07, 2017

    I submitted a case regarding this a few weeks ago asking for an article explaining SSL Profile statistics and got the answer that there are too many of them to answer, and that most of them are self-explaining.

     

    Lovely. :)

     

    Will update this post when I have more information.

     

    /Patrik

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 07, 2017

    They are so much self-explaining that the poor support guy can't even explain. This is indeed very lovely... :-)

     

    Cheers, Kai

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Feb 08, 2017

    Indeed. 🙂 Got a reply now though. Updating the post, but also leaving the delta here:

    Mid-Connection Handshakes
Successful renegotiations show up under the "Certificates/Handshakes" heading under the "Mid-Connection Handshakes" field.
https://support.f5.com/csp/article/K15475 (Insecure Renegotiations Rejected - indicates unpatched clients attempted to renegotiate SSL sessions X times and were rejected by the virtual server) The stats in question are all about the configuration of Secure Renegotiation covered in SOL13512

 Secure Handshakes                           << A patched client
 Insecure Handshakes Accepted                << An unpatched client. First connection accepted (Profile is Request or Require).
 Insecure Handshakes Rejected                << An unpatched client. First connection rejected (Profile is Request Strict).
 Insecure Renegotiations Rejected            << An uppatched client. First renegotiation attempt rejected (Profile is Require).

    Also asked about bad and DTLS Tx Pushbacks:

     Records
  In - Self explaining (my comment, not F5's)                        
  Out - Self explaining (my comment, not F5's)         
  Bad - Escalated within F5
  DTLS Tx Pushbacks - Escalated within F5