Forum Discussion
5 Replies
Sort By
- mfkk531_168091NimbostratusI'm sure they disabled the correct versions because when i tried accessing this bypassing load balance4r and idrectly hitting server url - it was working fine. I verified the tls version 1.2 with wireshark running on my PC
- mfkk531_168091NimbostratusThanks Paul T Below is the ssldump output New TCP connection 1: 172.16.100.251(6926) <-> abc.xyz.com(4126) 1 1 0.0001 (0.0001) C>S Handshake ClientHello Version 3.3 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Unknown value 0x3c Unknown value 0x3d Unknown value 0xff compression methods NULL 1 2 0.0010 (0.0008) S>C Handshake ServerHello Version 3.3 session_id[32]= fe f4 f8 9d d7 33 20 0d 63 94 d0 38 cb d9 e6 57 2c 45 6e a2 cf f3 8d 8c b4 14 df 99 f9 8b 56 54 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0010 (0.0000) S>C Handshake Certificate 1 4 0.0010 (0.0000) S>C Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_types unknown value Not enough data. Found 30 bytes (expecting 32767) ServerHelloDone 1 5 0.0051 (0.0041) C>S Handshake Certificate 1 6 0.0051 (0.0000) C>S Handshake ClientKeyExchange 1 7 0.0051 (0.0000) C>S Handshake CertificateVerify Not enough data. Found 258 bytes (expecting 16384) 1 8 0.0051 (0.0000) C>S ChangeCipherSpec 1 9 0.0051 (0.0000) C>S Handshake 1 10 0.0087 (0.0035) S>C Alert level fatal value decrypt_error 1 0.0092 (0.0004) S>C TCP FIN 1 0.0093 (0.0001) C>S TCP RST
- Paul_T_NimbostratusCould you paste the output from a ssldump (you can anonymize the IPs and cert details). Have you also tried connecting with openssl and forcing TLS 1.2? Perhaps they misconfigured the server when they said they were disallowing TLS 1.0 and 1.1 (this happened to me once).
- mfkk531_168091NimbostratusNo matter what cipher the server picks- it fails, if the record layer is TLSv1.2 There is nothing updated in /var/log/ltm
- Paul_T_NimbostratusWhich cipher is being chosen when it fails? Are you seeing anything in /var/log/ltm?