Forum Discussion

mfkk531_168091's avatar
mfkk531_168091
Icon for Nimbostratus rankNimbostratus
Apr 05, 2016

Has anyone successfully used TLSv1.2 on 10.2.4 ? I get a "decrypt_error" when there is client authentication enabled on server.

BigIP 6900

 

OS v 10.2.4

 

Recently our server teams told us they are disabling TLSv1 and 1.1 - only allowing TLSv1.2

 

The communication broke after they disabled - i captured and see only "Client Hello" from LB and no response from server.

 

I forced the serverssl with DEFAULT:!TLSv1:!SSLv3:!SSLv2, Now the f5 makes a client hello over tls1.2

 

But there is a Alert- fatal: decrypt_error

 

I tried with different servers. changed and played around with several different ciphers, but no luck.

 

5 Replies

  • Which cipher is being chosen when it fails? Are you seeing anything in /var/log/ltm?
  • No matter what cipher the server picks- it fails, if the record layer is TLSv1.2 There is nothing updated in /var/log/ltm
  • Could you paste the output from a ssldump (you can anonymize the IPs and cert details). Have you also tried connecting with openssl and forcing TLS 1.2? Perhaps they misconfigured the server when they said they were disallowing TLS 1.0 and 1.1 (this happened to me once).
  • Thanks Paul T Below is the ssldump output New TCP connection 1: 172.16.100.251(6926) <-> abc.xyz.com(4126) 1 1 0.0001 (0.0001) C>S Handshake ClientHello Version 3.3 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Unknown value 0x3c Unknown value 0x3d Unknown value 0xff compression methods NULL 1 2 0.0010 (0.0008) S>C Handshake ServerHello Version 3.3 session_id[32]= fe f4 f8 9d d7 33 20 0d 63 94 d0 38 cb d9 e6 57 2c 45 6e a2 cf f3 8d 8c b4 14 df 99 f9 8b 56 54 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0010 (0.0000) S>C Handshake Certificate 1 4 0.0010 (0.0000) S>C Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_types unknown value Not enough data. Found 30 bytes (expecting 32767) ServerHelloDone 1 5 0.0051 (0.0041) C>S Handshake Certificate 1 6 0.0051 (0.0000) C>S Handshake ClientKeyExchange 1 7 0.0051 (0.0000) C>S Handshake CertificateVerify Not enough data. Found 258 bytes (expecting 16384) 1 8 0.0051 (0.0000) C>S ChangeCipherSpec 1 9 0.0051 (0.0000) C>S Handshake 1 10 0.0087 (0.0035) S>C Alert level fatal value decrypt_error 1 0.0092 (0.0004) S>C TCP FIN 1 0.0093 (0.0001) C>S TCP RST
  • I'm sure they disabled the correct versions because when i tried accessing this bypassing load balance4r and idrectly hitting server url - it was working fine. I verified the tls version 1.2 with wireshark running on my PC