Forum Discussion

mgamez_60648's avatar
mgamez_60648
Icon for Nimbostratus rankNimbostratus
Mar 14, 2015

NODE LISTENING ON 8443 DOWN WITH SSL HEALTH MONITOR

So I have this problem where suddenly, the nodes went down and nothing changed.

Health Monitor: 
Send String: GET /health.txt\r\n\r\n
Receive String: OK
Cipher: DEFAULT:+SHA:+3DES:+kEDH

Here is my SSLDUMP output:

New TCP connection 27: 10.3.71.9(57860) <-> 10.3.71.89(8443)
27 1  0.0009 (0.0009)  C>S SSLv2 compatible client hello
Version 3.1 
cipher suites
Unknown value 0x3a  
Unknown value 0x39  
Unknown value 0x38  
Unknown value 0x35  
Unknown value 0x34  
Unknown value 0x33  
Unknown value 0x32  
Unknown value 0x2f  
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
TLS_DHE_RSA_WITH_DES_CBC_SHA  
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
TLS_DHE_DSS_WITH_DES_CBC_SHA  
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
TLS_RSA_WITH_3DES_EDE_CBC_SHA  
TLS_RSA_WITH_DES_CBC_SHA  
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
TLS_RSA_WITH_RC4_128_SHA  
TLS_RSA_WITH_RC4_128_MD5  
TLS_RSA_EXPORT_WITH_RC4_40_MD5  
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA  
TLS_DH_anon_WITH_DES_CBC_SHA  
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA  
TLS_DH_anon_WITH_RC4_128_MD5  
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5  
27 2  0.0013 (0.0004)  S>CV3.1(2)  Alert
level           fatal
value           handshake_failure
27    0.0013 (0.0000)  S>C  TCP FIN
New TCP connection 28: 10.3.8.9(57872) <-> 10.3.8.32(8443)
28    0.0017 (0.0017)  C>S  TCP FIN
0.0020 (0.0002)  S>C
---------------------------------------------------------------
15 03 01 00 02 02 28                               ......(
---------------------------------------------------------------

Using default options: 

openssl s_client -connect  10.3.71.89:8443 
    CONNECTED(00000003)
    17404:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:

Using ssl2: 

openssl s_client -connect  10.3.71.89:8443 -ssl2
    CONNECTED(00000003)
    17543:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Using tls1: 

openssl s_client -connect  10.3.71.89:8443 -tls1  
    CONNECTED(00000003)
    depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.bla.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/ST=CA/L=blah/O=blah.com LLC/CN=blah.blah.com
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIgFGjCCBAKgAgwIBAgIQDG0L78P9vCy0DKXDANBggkqhkiG9w0BAQUADBm
    ....
    ....
    ...

As you can see, using openssl -tls1, I connect fine. I suspect this is the problem, but I dont know how to change the protocol to force tls1 only in a health monitor. Im using v9 of the LTM.

application delivery
LTM

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 14, 2015

    is it clienthello message format issue or ssl protocol version issue? i understand version 3.1 is tls 1.0.

     

    for message format, it is changed from sslv2 formatted clienthello message to tlsv1/sslv3 clienthello message in 11.0.0 according to ID222483.

     

    ID222483 - [RFE] Add way to force bigd to send TLSv1/SSLv3 Client Hello instead of SSLv2

     

    if it is message format issue and upgrade is not possible, you may have to use external monitor.

     

  • mgamez_60648's avatar
    mgamez_60648
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2015

    Hi nitass, this is an older version of f5, its v9.4 so that ID wouldn't apply, any other suggestions?

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Mar 15, 2015
      you can use external health monitor, can't you? HTTPS - Monitor SSL Handshake https://devcentral.f5.com/s/articles/https-monitor-ssl-handshake
  • SynACk_128568's avatar
    SynACk_128568
    Icon for Cirrostratus rankCirrostratus
    Mar 14, 2015

    hi mgamez ,

     

    I think that server disabled sslv2 and sslv3 and after that you are seeing pool members down .

     

    Please confirm .

     

    Thanks and Regards Ankit

     

  • SHIHABUDDIN_312's avatar
    SHIHABUDDIN_312
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2018

    I am facing same issue (openssl s_client -connect 10.3.71.89:8443 CONNECTED(00000003) 17404:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596:) do you found a resolution ?