Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

TLS 1.3 and BIG-IP Virtual Edition - BEST

Ntinos
Nimbostratus
Nimbostratus

‎10-Sep-2020 03:20

Has there been any changes in the way TLS 1.3 is configured in AWS BEST AMIs after 15.0.1.1 0.0.3 build. Same config works fine with no error on F5 BIG-IP Virtual Edition - BEST 15.0.1.1 0.0.3 and F5 BIG-IP Virtual Edition - GOOD 15.1.0.4 0.0.6 but not for F5 BIG-IP Virtual Edition - BEST 15.1.0.4 0.0.6.

 

I'm getting the below error:

curl -v -k https://20.0.5.25/30KB.htm

*  Trying 20.0.5.25...

* TCP_NODELAY set

* Connected to 20.0.5.25 (20.0.5.25) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*  CAfile: /etc/ssl/certs/ca-certificates.crt

 CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):

* TLSv1.3 (IN), TLS handshake, Unknown (8):

* TLSv1.3 (OUT), TLS alert, Server hello (2):

* error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

* stopped the pause stream!

* Closing connection 0

curl: (35) error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac

 

 

Labels:
0 Kudos
10 REPLIES 10

Andrew-F5
F5 Employee
F5 Employee

‎11-Sep-2020 09:06

Can you try openssl s_client?

openssl s_client -tls1_3 -connect 20.0.5.25:443

0 Kudos

Ntinos
Nimbostratus
Nimbostratus

‎17-Sep-2020 00:56

Here you are:

#openssl s_client -tls1_3 -connect 20.0.5.25:443

CONNECTED(00000005)

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=26:unsupported certificate purpose

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

verify error:num=10:certificate has expired

notAfter=Jan 30 23:58:24 2020 GMT

verify return:1

depth=0 C = US, ST = CA, O = Ntinos, CN = ANG

notAfter=Jan 30 23:58:24 2020 GMT

verify return:1

139621769810368:error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac:../ssl/record/ssl3_record.c:677:

---

Certificate chain

 0 s:C = US, ST = CA, O = Ntinos, CN = ANG

  i:C = US, ST = CA, O = Ntinos, CN = ANG

---

Server certificate

-----BEGIN CERTIFICATE-----

.

.

.

-----END CERTIFICATE-----

subject=C = US, ST = CA, O = Ntinos, CN = ANG

 

issuer=C = US, ST = CA, O = Ntinos, CN = ANG

 

---

No client certificate CA names sent

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 1463 bytes and written 240 bytes

Verification error: certificate has expired

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 10 (certificate has expired)

---

0 Kudos

Lidev
MVP
MVP

‎17-Sep-2020 01:54

Hi Ntinos,

Your openssl test reveals that your certificate has expired (Verify return code: 10 (certificate has expired), renews the certificate and this should make it work better😉

0 Kudos

Ntinos
Nimbostratus
Nimbostratus

‎17-Sep-2020 02:45

Why does this happen only on TLS 1.3 and 1.5.1 BEST? TLS 1.2 works fine.

0 Kudos

Lidev
MVP
MVP
In response to Ntinos

‎17-Sep-2020 06:22 - last edited on ‎04-Jun-2023 21:17 by Fog

Have you try the same test (openssl s_clien)t but with tls1.2 to see if the result is the same (certificate expired)?

openssl s_client -tls1_2 -connect 20.0.5.25:443
0 Kudos

Ntinos
Nimbostratus
Nimbostratus
In response to Lidev

‎17-Sep-2020 06:59

Yes, ceritificate is expired but everything works, curl/spirent etc.

0 Kudos

Lidev
MVP
MVP
In response to Lidev

‎17-Sep-2020 07:21

Okay, makes a tcpdump or ssl dump and compares the Ciphers Suites negotiated with the client during the SSL Handshake.

TLS 1.3 has eliminated support for algorithms and ciphers that are practically vulnerable.

  • RC4 Stream Cipher
  • RSA Key Exchange
  • SHA-1 Hash Function
  • CBC (Block) Mode Ciphers
  • MD5 Algorithm
  • Various non-ephemeral Diffie-Hellman groups
  • EXPORT-strength ciphers
  • DES
  • 3DES

 

0 Kudos

Ntinos
Nimbostratus
Nimbostratus
In response to Lidev

‎22-Sep-2020 04:59

I've updated my certificate so that it's not expired, still the same error. I still don't understand why this happens to BEST instance only and why GOOD works...

0 Kudos

DMan
Nimbostratus
Nimbostratus

‎04-Jul-2021 17:37 - last edited on ‎24-Mar-2022 01:29 by Fog

 Were you able to get to the root cause of this issue and able to resolve? I am having the same issue with one of the 15.1.2.1 version.

0 Kudos

Ntinos
Nimbostratus
Nimbostratus
In response to DMan

‎05-Jul-2021 02:06

Not really, I had to use the older version...

0 Kudos
Copyright © 2023 Khoros, LLC