Forum Discussion

Akhilesh_128432's avatar
Akhilesh_128432
Icon for Nimbostratus rankNimbostratus
Mar 10, 2016

F5 HTTPS monitor not working

Our F5 is running on 11.4.0 and now couple of new HTTPS monitors we configured are failing. I believe this issue is due to ciphers. our application supports only TLSv1.2 ciphers and now there is some handshake error i am seeing. can anybody please help on this. This is important for our GA now,

when I check the F5 ciphers list am seeing lot of TLSv1.2 ciphers.

~ tmm --clientciphers 'DEFAULT' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 14: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 15: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 16: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 17: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 18: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 19: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 20: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 22: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 24: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 28: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 29: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

I tried the curl command from F5 laod balancer and that has a also failed.

curl -vk https://10.50.64.226:10001/lbhealthcheck.html * About to connect() to 10.50.64.226 port 10001 (0) * Trying 10.50.64.226... connected * Connected to 10.50.64.226 (10.50.64.226) port 10001 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Closing connection 0 curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

openssl s_client -connect 10.50.64.226:10001 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 24078:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:182:

**text**

Thanks, Akhi

2 Replies