cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

TLS 1.3 and BIG-IP Virtual Edition - BEST

Ntinos
Nimbostratus
Nimbostratus

Has there been any changes in the way TLS 1.3 is configured in AWS BEST AMIs after 15.0.1.1 0.0.3 build. Same config works fine with no error on F5 BIG-IP Virtual Edition - BEST 15.0.1.1 0.0.3 and F5 BIG-IP Virtual Edition - GOOD 15.1.0.4 0.0.6 but not for F5 BIG-IP Virtual Edition - BEST 15.1.0.4 0.0.6.

 

I'm getting the below error:

curl -v -k https://20.0.5.25/30KB.htm

*  Trying 20.0.5.25...

* TCP_NODELAY set

* Connected to 20.0.5.25 (20.0.5.25) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/certs/ca-certificates.crt

 CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):

* TLSv1.3 (IN), TLS handshake, Unknown (8):

* TLSv1.3 (OUT), TLS alert, Server hello (2):

* error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

* stopped the pause stream!

* Closing connection 0

curl: (35) error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

 

 

10 REPLIES 10

Andrew-F5
F5 Employee
F5 Employee

Can you try openssl s_client?

openssl s_client -tls1_3 -connect 20.0.5.25:443

Ntinos
Nimbostratus
Nimbostratus

Here you are:

#openssl s_client -tls1_3 -connect 20.0.5.25:443

CONNECTED(00000005)

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=26:unsupported certificate purpose

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=10:certificate has expired

notAfter=Jan 30 23:58:24 2020 GMT

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

notAfter=Jan 30 23:58:24 2020 GMT

verify return:1

139621769810368:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677:

---

Certificate chain

 0 s:C = US, ST = CA, O = Ntinos, CN = ANG

  i:C = US, ST = CA, O = Ntinos, CN = ANG

---

Server certificate

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

subject=C = US, ST = CA, O = Ntinos, CN = ANG

 

issuer=C = US, ST = CA, O = Ntinos, CN = ANG

 

---

No client certificate CA names sent

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 1463 bytes and written 240 bytes

Verification error: certificate has expired

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 10 (certificate has expired)

---

Lidev
MVP
MVP

Hi Ntinos,

Your openssl test reveals that your certificate has expired (Verify return code: 10 (certificate has expired), renews the certificate and this should make it work better😉

Ntinos
Nimbostratus
Nimbostratus

Why does this happen only on TLS 1.3 and 1.5.1 BEST? TLS 1.2 works fine.

Have you try the same test (openssl s_clien)t but with tls1.2 to see if the result is the same (certificate expired)?

openssl s_client -tls1_2 -connect 20.0.5.25:443

 

Yes, ceritificate is expired but everything works, curl/spirent etc.

Okay, makes a tcpdump or ssl dump and compares the Ciphers Suites negotiated with the client during the SSL Handshake.

TLS 1.3 has eliminated support for algorithms and ciphers that are practically vulnerable.

  • RC4 Stream Cipher
  • RSA Key Exchange
  • SHA-1 Hash Function
  • CBC (Block) Mode Ciphers
  • MD5 Algorithm
  • Various non-ephemeral Diffie-Hellman groups
  • EXPORT-strength ciphers
  • DES
  • 3DES

 

I've updated my certificate so that it's not expired, still the same error. I still don't understand why this happens to BEST instance only and why GOOD works...

DMan
Nimbostratus
Nimbostratus

 Were you able to get to the root cause of this issue and able to resolve? I am having the same issue with one of the 15.1.2.1 version.

Not really, I had to use the older version...