TLS 1.3 and BIG-IP Virtual Edition - BEST

Question

Has there been any changes in the way TLS 1.3 is configured in AWS BEST AMIs after 15.0.1.1 0.0.3 build. Same config works fine with no error on F5 BIG-IP Virtual Edition - BEST 15.0.1.1 0.0.3 and F5 BIG-IP Virtual Edition - GOOD 15.1.0.4 0.0.6 but not for F5 BIG-IP Virtual Edition - BEST 15.1.0.4 0.0.6.

I'm getting the below error:

curl -v -k https://20.0.5.25/30KB.htm

* Trying 20.0.5.25...

* TCP_NODELAY set

* Connected to 20.0.5.25 (20.0.5.25) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/certs/ca-certificates.crt

CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):

* TLSv1.3 (IN), TLS handshake, Unknown (8):

* TLSv1.3 (OUT), TLS alert, Server hello (2):

* error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

* stopped the pause stream!

* Closing connection 0

curl: (35) error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

andrew-f5 · Answer

Can you try openssl s_client?openssl s_client -tls1_3 -connect 20.0.5.25:443

ntinos · Answer

Here you are:#openssl s_client -tls1_3 -connect 20.0.5.25:443CONNECTED(00000005)depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=18:self signed certificateverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=26:unsupported certificate purposeverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGverify error:num=10:certificate has expirednotAfter=Jan 30 23:58:24 2020 GMTverify return:1depth=0 C = US, ST = CA, O = Ntinos, CN = ANGnotAfter=Jan 30 23:58:24 2020 GMTverify return:1139621769810368:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677:---Certificate chain&nbsp;0 s:C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;&nbsp;i:C = US, ST = CA, O = Ntinos, CN = ANG---Server certificate-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----subject=C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;issuer=C = US, ST = CA, O = Ntinos, CN = ANG&nbsp;---No client certificate CA names sentServer Temp Key: X25519, 253 bits---SSL handshake has read 1463 bytes and written 240 bytesVerification error: certificate has expired---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 2048 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 10 (certificate has expired)---

lidev · Answer

Hi Ntinos,Your openssl test reveals that your certificate has expired (Verify return code: 10 (certificate has expired), renews the certificate and this should make it work better😉

ntinos · Answer

Why does this happen only on TLS 1.3 and 1.5.1 BEST? TLS 1.2 works fine.

lidev · Answer

Have you try the same test (openssl s_clien)t but with tls1.2 to see if the result is the same (certificate expired)?openssl s_client -tls1_2 -connect 20.0.5.25:443

Forum Discussion

TLS 1.3 and BIG-IP Virtual Edition - BEST

10 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

What is BIG-IP Next?

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire