CirrusVirtual Server with TLS1.3
Hi team,
I have a lab in version 14.1.0.1. I'm trying to deploy a virtual server which handels http over tls version 1.3 (ssl offloading).
However when I access my virtual server I receive the following error messge in my browser (firefox 66.0.2 64bit):
An error occurred during a connection to 10.10.245.80. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ
In /var/log/ltm :
Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260013:4: SSL Handshake failed for TCP 10.10.0.1:50827 -> 10.10.245.80:443
Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260009:4: Connection error: ssl_basic_crypto_cb:691: Decryption error (20)
I can provide the pcap while accessing the virtual server. The client side SSL handshake does not succeed. The client seems to not accept bigip's response. I first thought that was a browser issue but with the same browser I'm able to access https://tls13.crypto.mozilla.org/ which is tls1.3 only website. Moreover, the same ciphers were choosen in both handshakes TLS_AES_128_GCM_SHA256 (0x1301).
Here is my config :
ltm virtual /Common/http_vs {
creation-time 2019-03-22:14:25:44
destination /Common/10.10.245.80:443
ip-protocol tcp
last-modified-time 2019-03-29:15:33:08
mask 255.255.255.255
pool /Common/http_pool
profiles {
/Common/http { }
/Common/kabe_clientssl {
context clientside
}
/Common/tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm profile client-ssl /Common/kabe_clientssl {
app-service none
cert-key-chain {
default {
cert /Common/default.crt
key /Common/default.key
}
}
cipher-group /Common/f5-aes
ciphers none
defaults-from /Common/clientssl
inherit-ca-certkeychain true
inherit-certkeychain true
options { dont-insert-empty-fragments }
}
Could you please help me understand why the TLS handshake is down ?
Many thanks,
Karim BENYELLOUL
