Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)
Hi, Did anyone tested (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1): It should work in v 15.1 (fixed bug 743758 - https://cdn.f5.com/product/bugtracker/ID743758.html ) I'm getting following errors for all client certificates: err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files… Kr, EPXSSL handshake errors
Hi there, Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3: Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 72.238.29.206:60819 -> x.x.x.x:443 Nov 12 03:15:55 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 96.241.137.52:50815 -> x.x.x.x:443 Nov 12 03:16:12 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 166.172.187.30:38119 -> x.x.x.x:443 Nov 12 03:16:32 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: hud_ssl_handler:1135: codec alert (20) Nov 12 03:16:32 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP y.y.y.y:63127 -> z.z.z.z:443 Nov 12 03:18:53 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: ssl_hs_rxhello:7103: unsupported version (40) Did ssldump and ssl debugs but can't figure it out. There are no low encryption ciphers being presented by clients. In fact I don't see any handshake errors in the packet captures. Its pretty baffling. Would be great if someone can throw some light. Techs at F5 haven't been able to figure it out either. Thanks Naresh
Client SSL profiles using SNI not able to use the subject alternative name
We have a clientssl profile using a *.domain.com wildcard SSL certificate. This profile is set as the default for SNI. We also have specific clientssl profiles using the application specific SSL certificate. The application specific certs have their subject as www.application.com with the subject alternative name with application.com. There may also be several other SAN listed depending on the web app. In testing everything works great when accessing the site via https://www.application.com. However when using https://application.com we receive a cert error and the *.domain.com wildcard SSL certificate is used. This is the same for any domain listed as a SAN. My main question is can SNI use subject alternative names? My testing indicates no, but I wanted to put this out to the group. Here is my sanitized config: ltm profile client-ssl domain.com_wildcard { app-service none cert domain.com_wildcard.crt chain ComodoCA.crt defaults-from clientssl key domain.com_wildcard.key sni-default true } ltm profile client-ssl prod-www_application_com { app-service none cert prod-www_application_com.crt chain prod-www_application_com.intermediate.ca.crt key prod-www_application_com.key } ltm virtual vs-x.x.x.x_443 { destination x.x.x.x:https ip-protocol tcp mask 255.255.255.255 pool site-x.x.x.x_443 profiles { http-x-forward { } domain.com_wildcard { context clientside } prod-www_application_com { context clientside } serverssl-insecure-compatible { context serverside } tcp { } websecurity { } } source 0.0.0.0/0 source-address-translation { pool snat_pool type snat } vs-index 2539 }
TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, Rolf
Leave TLSv1 enabled but prioritize TLS1.2 or TLS1.1 over v1
We've disabled SSL all together on our F5 but we still allow TLSv1, TLSv1.1 and 1.2. We notice that most of our clients are hitting us on TLSv1 even though we support 1.2. Our clients have stated that they're sending a list of ciphers that they support when they initially connect (TLSv1, 1.1, and 1.2). Even though they're supporting 1.2 and we support 1.2 their connection is still using 1.0. Looking at the tmm clientciphers DEFAULT command i see that tls1.0 is ordered above 1.1 and 1.2. Is there a way to reorder this or priortize 1.2 and 1.1 over 1.0?
SPDY not working with Chrome browser on Android
Hi, we're experimenting with SPDY profiles on LTM 11.4 SPDY seems to be working fine with spdy-enabled desktop browsers (Chrome, Firefox) and also with non-spdy browsers (IE, iPhone?) The only browser, which can't get a connection to an spdy-enabled virtual server is Google Chrome on Android. There we get "ERR_CONNECTION_CLOSED" on the client. On a tcpdump, the SSL-handshake seems ok, but then the loadbalancer ends the connection (FIN). Might be a browser bug (though since Google invented SPDY, one would think SPDY on Google Chrome should be flawless). Has anybody experienced the same, has any hints or can at least confirm this? LTM: 11.4.1 Browser: Android Chrome 35.0.1916.138 Thank you in advance, Markus
ClientSSL Profile. Key and Cert mismatch. Applying to Virtual Server
Hi, I have a VIP setup for HTTPS pointing to a pool of HTTP servers. We want to install the certificate on the BIG IP. I generated the CSR for a certificate authority, received the cert and imported it. I created a SSL profile, using clientssl as the parent profile and selected my certificate and key. But I'm receiving the error: "Common/xdoctest_clientssl's key and certificate do not match" I generated two MD5 checksums and found the crt and key do not match. Is this a problem with the certificate I received? ClientSSL would be the appropriate profile in this scenario, correct? My plan was to apply the clientSSL to the VIP and leave the serverssl blank (due to http backend)
Custom cihper suite for ClientSSL Profile
Hello Folks, I want to use a custom set of ciphers in my ClientSSL Profile. I have gone through the document of F5, how can disallow ciphers by putting ! However I have a requirement that I need to use only 2 cipher suites such as AES128-SHA256 & AES256-SHA256 and rest should be deny. How can I deny remaining cipher suites by allowing only the required one? Any help is appreciated. Cheers! Darshan
Create client-ssl profile with tmsh error
Hello, i want to add a mass profile creation with tmsh. But always i get the error 010717e3:3: Client SSL profile must have RSA certificate/key pair. I try: create ltm profile client-ssl /Part_123/clientssl_123.xyz.com_1 { app-service none cert /Part_123/clientssl_123.xyz.com_1.crt cert-key-chain add { clientssl_123.xyz.com_1 { cert /Part_123/clientssl_123.xyz.com_1.crt key /Part_123/clientssl_123.xyz.com_1.key chain /Common/Int-CA.crt }} chain /Common/Int-CA.crt key /Part_123/clientssl_123.xyz.com_1.key defaults-from /Common/clientssl_onlyECDHE server-name 123.xyz.com } All partitions and cert and so one exist. I hope you can help me. Cheers
