Forum Discussion

johtte_168100

Nimbostratus

Nov 09, 2015

ssl handshake failure with backend server

Hi, I am trying to SSL termination to backend server using client profile and server profile.

This is the server profile:

admin@(f5lab01-asm)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile server-ssl back-end-servers
ltm profile server-ssl back-end-servers {

alert-timeout 10

app-service none

authenticate once

authenticate-depth 9

authenticate-name none

ca-file none

cache-size 262144

cache-timeout 3600

cert none

chain none

ciphers SSLv3:SSLv3+RC4-SHA

crl-file none

defaults-from serverssl

expire-cert-response-control drop

generic-alert enabled

handshake-timeout 10

key none

mod-ssl-methods disabled

mode enabled

options none

peer-cert-mode ignore

proxy-ssl disabled

proxy-ssl-passthrough disabled

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation disabled

retain-certificate true

secure-renegotiation require

server-name none

session-mirroring disabled

session-ticket disabled

sni-default false

sni-require false

ssl-forward-proxy disabled

ssl-forward-proxy-bypass disabled

ssl-sign-hash any

strict-resume disabled

unclean-shutdown enabled

untrusted-cert-response-control drop

}

the test with openssl

[admin@f5lab01-asm:Active:In Sync] ~ openssl s_client -host 192.168.0.1 -port 443 CONNECTED(00000003) 46963579710592:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 305 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

The ssldump:

[admin@f5lab01-asm:Active:In Sync] ~ ssldump -Aed -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:home.com.key_63567_1 -n -i internal host 192.168.0.1 New TCP connection 1: 192.168.0.63(36056) <-> 192.168.0.1(443) 1 1 1447104036.1652 (0.0008) C>SV3.0(87) Handshake

ClientHello

Version 3.0

random[32]=

09 30 c3 e9 06 5d 07 f9 29 59 e2 3c 3d 84 bc 7c

85 19 71 27 86 ec 58 c2 8e 30 77 47 f4 b9 40 ce

cipher suites

SSL_DHE_RSA_WITH_AES_256_CBC_SHA

SSL_DHE_DSS_WITH_AES_256_CBC_SHA

SSL_DH_anon_WITH_AES_256_CBC_SHA

SSL_RSA_WITH_AES_256_CBC_SHA

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_DHE_RSA_WITH_AES_128_CBC_SHA

SSL_DHE_DSS_WITH_AES_128_CBC_SHA

SSL_DH_anon_WITH_AES_128_CBC_SHA

SSL_RSA_WITH_AES_128_CBC_SHA

SSL_DH_anon_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_RC4_128_MD5

SSL_DHE_RSA_WITH_DES_CBC_SHA

SSL_DH_anon_WITH_DES_CBC_SHA

SSL_RSA_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

Unknown value 0xff

compression methods

NULL

1 1447104036.1659 (0.0007) S>C TCP FIN

1 1447104036.1660 (0.0000) C>S TCP RST

Any ideas that we need to change?

I am using 11.6 HF6.

Regards

advanced firewall manager

17 Replies

R_Marc
Nimbostratus
Nov 09, 2015
That's a bit unreadable I'd recommend using some wiki tags so the info formats better.

That being said, what is 192.168.111.58? The backend or the virtual IP?

If it's the backend, it would seem to me the backend isn't talking SSL or requires a client certificate. You can add -prexit to your openssl command to see if it wants a client cert.

If it's the virtual IP, then we'd have to know more about your client-ssl profile. You don't get to the server-ssl profile until after client-ssl was successful.
Brad_Parker_139
Nacreous
Nov 09, 2015
Looks like the server doesn't support any of the ciphers you are offering in your server SSL profile. What kind of server is it on the backend? Do you know what ciphers it supports? Have you tried using something more broad like DEFAULT or NATIVE for your cipher string to find out what it can negotiate?
- johtte_168100
  Nimbostratus
  Nov 10, 2015
  The sever is IBM Webshere 6.1 when i am using Native this is the output: * New TCP connection 14: 192.168.0.63(42494) <-> 192.168.0.1(443)
  
  14 1 1447162756.9137 (0.0008) C>SV3.3(215) Handshake
  
  ClientHello
  
  Version 3.3
  
  random[32]=
  
  5e 59 b6 e6 73 f5 6f de ba 99 6f 06 1b fb 9e e9
  
  21 d6 03 9c ad 8d e1 6d 75 15 0b ba 6e be 46 a7
  
  cipher suites
  
  Unknown value 0xc030
  
  Unknown value 0xc02c
  
  Unknown value 0xc028
  
  Unknown value 0xc024
  
  Unknown value 0xc014
  
  Unknown value 0xc00a
  
  Unknown value 0xa3
  
  Unknown value 0x9f
  
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  
  Unknown value 0xa7
  
  TLS_DH_anon_WITH_AES_256_CBC_SHA
  
  Unknown value 0xc032
  
  Unknown value 0xc02e
  
  Unknown value 0xc02a
  
  Unknown value 0xc026
  
  Unknown value 0xc00f
  
  Unknown value 0xc005
  
  Unknown value 0x9d
  
  TLS_RSA_WITH_AES_256_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_CBC_SHA
  
  Unknown value 0xc012
  
  Unknown value 0xc008
  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc00d
  
  Unknown value 0xc003
  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc02f
  
  Unknown value 0xc02b
  
  Unknown value 0xc027
  
  Unknown value 0xc023
  
  Unknown value 0xc013
  
  Unknown value 0xc009
  
  Unknown value 0xa2
  
  Unknown value 0x9e
  
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  
  Unknown value 0xa6
  
  TLS_DH_anon_WITH_AES_128_CBC_SHA
  
  Unknown value 0xc031
  
  Unknown value 0xc02d
  
  Unknown value 0xc029
  
  Unknown value 0xc025
  
  Unknown value 0xc00e
  
  Unknown value 0xc004
  
  Unknown value 0x9c
  
  TLS_RSA_WITH_AES_128_CBC_SHA256
  
  TLS_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DH_anon_WITH_RC4_128_MD5
  
  TLS_RSA_WITH_RC4_128_SHA
  
  TLS_RSA_WITH_RC4_128_MD5
  
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  
  TLS_DH_anon_WITH_DES_CBC_SHA
  
  TLS_RSA_WITH_DES_CBC_SHA
  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  
  Unknown value 0xff
  
  compression methods NULL
  
  14 1447162756.9144 (0.0007) S>C TCP FIN
  
  14 1447162756.9146 (0.0001) C>S TCP RST * Whene i try to Default: * New TCP connection 6: 192.168.0.63(13306) <-> 192.168.0.1(443)
  
  6 1 1447161846.9679 (0.0008) C>SV3.3(131) Handshake
  
  ClientHello
  
  Version 3.3
  
  random[32]=
  
  bb d4 c6 54 aa b6 c4 be be 54 4e a8 12 39 63 7d
  
  12 9a c2 d0 fa 70 54 b6 cf 96 d6 cf b1 8f e8 22
  
  cipher suites
  
  Unknown value 0x9f
  
  Unknown value 0x9e
  
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0x9d
  
  Unknown value 0x9c
  
  TLS_RSA_WITH_AES_256_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_CBC_SHA
  
  TLS_RSA_WITH_AES_128_CBC_SHA256
  
  TLS_RSA_WITH_AES_128_CBC_SHA
  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc030
  
  Unknown value 0xc02f
  
  Unknown value 0xc028
  
  Unknown value 0xc014
  
  Unknown value 0xc027
  
  Unknown value 0xc013
  
  Unknown value 0xc012
  
  Unknown value 0xff
  
  compression methods
  
  NULL
  
  6 1447161846.9688 (0.0008) S>C TCP FIN
  
  6 1447161846.9689 (0.0000) C>S TCP RST Regards
- nathe
  Cirrocumulus
  Nov 10, 2015
  Out of interest, does a default HTTPS monitor work on the backend pool member? Can you connect to the backend pool member directly without going via the F5 i.e. the SSL Handshake works then?
- Brad_Parker_139
  Nacreous
  Nov 10, 2015
  Your server is FINing the SSL hanshake. It is either expecting a client cert or doesn't understand TLSv1.2 client HELLO. Can you get the SSL configuration from your WebSphere admins?
Brad_Parker
Cirrus
Nov 09, 2015
Looks like the server doesn't support any of the ciphers you are offering in your server SSL profile. What kind of server is it on the backend? Do you know what ciphers it supports? Have you tried using something more broad like DEFAULT or NATIVE for your cipher string to find out what it can negotiate?
- johtte_168100
  Nimbostratus
  Nov 10, 2015
  The sever is IBM Webshere 6.1 when i am using Native this is the output: * New TCP connection 14: 192.168.0.63(42494) <-> 192.168.0.1(443)
  
  14 1 1447162756.9137 (0.0008) C>SV3.3(215) Handshake
  
  ClientHello
  
  Version 3.3
  
  random[32]=
  
  5e 59 b6 e6 73 f5 6f de ba 99 6f 06 1b fb 9e e9
  
  21 d6 03 9c ad 8d e1 6d 75 15 0b ba 6e be 46 a7
  
  cipher suites
  
  Unknown value 0xc030
  
  Unknown value 0xc02c
  
  Unknown value 0xc028
  
  Unknown value 0xc024
  
  Unknown value 0xc014
  
  Unknown value 0xc00a
  
  Unknown value 0xa3
  
  Unknown value 0x9f
  
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  
  Unknown value 0xa7
  
  TLS_DH_anon_WITH_AES_256_CBC_SHA
  
  Unknown value 0xc032
  
  Unknown value 0xc02e
  
  Unknown value 0xc02a
  
  Unknown value 0xc026
  
  Unknown value 0xc00f
  
  Unknown value 0xc005
  
  Unknown value 0x9d
  
  TLS_RSA_WITH_AES_256_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_CBC_SHA
  
  Unknown value 0xc012
  
  Unknown value 0xc008
  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc00d
  
  Unknown value 0xc003
  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc02f
  
  Unknown value 0xc02b
  
  Unknown value 0xc027
  
  Unknown value 0xc023
  
  Unknown value 0xc013
  
  Unknown value 0xc009
  
  Unknown value 0xa2
  
  Unknown value 0x9e
  
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  
  Unknown value 0xa6
  
  TLS_DH_anon_WITH_AES_128_CBC_SHA
  
  Unknown value 0xc031
  
  Unknown value 0xc02d
  
  Unknown value 0xc029
  
  Unknown value 0xc025
  
  Unknown value 0xc00e
  
  Unknown value 0xc004
  
  Unknown value 0x9c
  
  TLS_RSA_WITH_AES_128_CBC_SHA256
  
  TLS_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DH_anon_WITH_RC4_128_MD5
  
  TLS_RSA_WITH_RC4_128_SHA
  
  TLS_RSA_WITH_RC4_128_MD5
  
  TLS_DHE_RSA_WITH_DES_CBC_SHA
  
  TLS_DH_anon_WITH_DES_CBC_SHA
  
  TLS_RSA_WITH_DES_CBC_SHA
  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  
  Unknown value 0xff
  
  compression methods NULL
  
  14 1447162756.9144 (0.0007) S>C TCP FIN
  
  14 1447162756.9146 (0.0001) C>S TCP RST * Whene i try to Default: * New TCP connection 6: 192.168.0.63(13306) <-> 192.168.0.1(443)
  
  6 1 1447161846.9679 (0.0008) C>SV3.3(131) Handshake
  
  ClientHello
  
  Version 3.3
  
  random[32]=
  
  bb d4 c6 54 aa b6 c4 be be 54 4e a8 12 39 63 7d
  
  12 9a c2 d0 fa 70 54 b6 cf 96 d6 cf b1 8f e8 22
  
  cipher suites
  
  Unknown value 0x9f
  
  Unknown value 0x9e
  
  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0x9d
  
  Unknown value 0x9c
  
  TLS_RSA_WITH_AES_256_CBC_SHA256
  
  TLS_RSA_WITH_AES_256_CBC_SHA
  
  TLS_RSA_WITH_AES_128_CBC_SHA256
  
  TLS_RSA_WITH_AES_128_CBC_SHA
  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  
  Unknown value 0xc030
  
  Unknown value 0xc02f
  
  Unknown value 0xc028
  
  Unknown value 0xc014
  
  Unknown value 0xc027
  
  Unknown value 0xc013
  
  Unknown value 0xc012
  
  Unknown value 0xff
  
  compression methods
  
  NULL
  
  6 1447161846.9688 (0.0008) S>C TCP FIN
  
  6 1447161846.9689 (0.0000) C>S TCP RST Regards
- nathe
  Cirrocumulus
  Nov 10, 2015
  Out of interest, does a default HTTPS monitor work on the backend pool member? Can you connect to the backend pool member directly without going via the F5 i.e. the SSL Handshake works then?
- Brad_Parker
  Cirrus
  Nov 10, 2015
  Your server is FINing the SSL hanshake. It is either expecting a client cert or doesn't understand TLSv1.2 client HELLO. Can you get the SSL configuration from your WebSphere admins?
johtte_168100
Nimbostratus
Nov 10, 2015
My client ssl profile:

admin@(f5lab01-asm)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl home.com ltm profile client-ssl home.com {

alert-timeout 10

allow-non-ssl disabled

app-service none

cache-size 262144

cache-timeout 3600

cert home.com.crt

cert-key-chain {

home {

cert home.com.crt

key home.com.key

}

}

chain none

ciphers DEFAULT

defaults-from clientssl

generic-alert enabled

handshake-timeout 10

inherit-certkeychain false

key home.com.key

max-renegotiations-per-minute 5

mod-ssl-methods disabled

mode enabled

options { dont-insert-empty-fragments }

passphrase none

peer-no-renegotiate-timeout 10

proxy-ssl disabled

proxy-ssl-passthrough disabled

renegotiate-max-record-delay indefinite

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation require

server-name none

session-mirroring disabled

session-ticket disabled

sni-default false

sni-require false

ssl-sign-hash any

strict-resume disabled

unclean-shutdown enabled

}
- Brad_Parker
  Cirrus
  Nov 10, 2015
  What about your server SSL profile. I think that's where your issue lies.

johtte_168100

Nimbostratus

Nov 10, 2015

This is my last change on ssl server profile

admin@(f5lab01-asm)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile server-ssl back-end-servers ltm profile server-ssl back-end-servers { alert-timeout 10

app-service none

authenticate once

authenticate-depth 9

authenticate-name none

ca-file none

cache-size 262144

cache-timeout 3600

cert none

chain none

***ciphers SSLv3:SSLv3+RC4-SHA:SSLv2:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES***

crl-file none

defaults-from serverssl

expire-cert-response-control drop

generic-alert enabled

handshake-timeout 10

key none

mod-ssl-methods disabled

mode enabled

options none

peer-cert-mode ignore

proxy-ssl disabled

proxy-ssl-passthrough disabled

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation disabled

retain-certificate true

**secure-renegotiation request**

server-name none

session-mirroring disabled

session-ticket disabled

sni-default false

sni-require false

ssl-forward-proxy disabled

ssl-forward-proxy-bypass disabled

ssl-sign-hash any

strict-resume disabled

unclean-shutdown enabled

untrusted-cert-response-control drop

}

Kevin_Stewart
Employee
Nov 11, 2015
For what it's worth, the server is sending a FIN right after the client's ClientHello. That would never indicate that the server requires a client certificate as the CertificateRequest message is AFTER the server's ServerHello and Certificate messages. At most the reasons for the server not sending a ServerHello would be (in general order of precedence):

No support for the client's preferred protocol version or list of supported ciphers
A missing server name indicator (SNI) extension, if the server requires it
Some unknown or incorrect TLS extension

Forum Discussion

ssl handshake failure with backend server

17 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

BIG-IP Proxy SSL 12.1 Handshake Failure

Monitoring Failure OAuth request

SSL Profiles Part 1: Handshakes

SSL handshake failure using serverssl (F5 and Citrix Netscaler)

TCP Internals: 3-way Handshake and Sequence Numbers Explained