Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jun 01, 2016

Proxy SSL

Hi, I've been trying to make proxy ssl feature work since a long time but unfortunately no luck. I am still in learning mode on F5 products. I have clients which would require updates from one microsoft server and server would authenticate the clients based on client certificate. I have the right server certificate and we have modified the server ciphers as -

 

33: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 34: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 37: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 38: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 40: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 41: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 42: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

 

I am not sure why its not working, after the client ssl hello, i get a TCP-RST :(

 

Can someone help, what needs to be check?

 

7 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Nuruddin, do you have a client and server SSL configured on the VIP, both with proxy SSL enabled?

     

    You may be best running ssldump to see what's happening.

     

    N

     

  • New TCP connection 39: 10.10.10.10(50993) <-> 10.9.9.9(443)

    New TCP connection 40: 10.9.9.8(24459) <-> 10.9.9.7(443)

    39 1 0.0015 (0.0015) C>SV3.1(167) Handshake

      ClientHello
        Version 3.1
        random[32]=
          57 4e 87 82 55 74 e8 19 ef dd 10 a1 b8 6f 3b a4
          af 6c 0b f7 8b 79 17 d3 fb 23 d0 c6 c5 39 80 96
        cipher suites
        Unknown value 0xff
        Unknown value 0xc00a
        Unknown value 0xc014
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0xc00f
        Unknown value 0xc005
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0xc007
        Unknown value 0xc009
        Unknown value 0xc011
        Unknown value 0xc013
        Unknown value 0x45
        Unknown value 0x44
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0xc00c
        Unknown value 0xc00e
        Unknown value 0xc002
        Unknown value 0xc004
        Unknown value 0x96
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        Unknown value 0xfeff
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
    

    40 1 0.0007 (0.0007) C>SV3.1(167) Handshake

      ClientHello
        Version 3.1
        random[32]=
          57 4e 87 82 55 74 e8 19 ef dd 10 a1 b8 6f 3b a4
          af 6c 0b f7 8b 79 17 d3 fb 23 d0 c6 c5 39 80 96
        cipher suites
        Unknown value 0xff
        Unknown value 0xc00a
        Unknown value 0xc014
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0xc00f
        Unknown value 0xc005
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0xc007
        Unknown value 0xc009
        Unknown value 0xc011
        Unknown value 0xc013
        Unknown value 0x45
        Unknown value 0x44
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0xc00c
        Unknown value 0xc00e
        Unknown value 0xc002
        Unknown value 0xc004
        Unknown value 0x96
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        Unknown value 0xfeff
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
    

    40 2 0.0036 (0.0029) S>CV3.1(3605) Handshake

      ServerHello
        Version 3.1
        random[32]=
          57 4e 87 80 a6 10 2d a8 57 77 93 4b 02 d0 a8 4b
          c6 f4 ca 77 59 b3 9c 16 57 c3 84 d1 1b c4 dd 2f
        session_id[32]=
          af 1e 00 00 b6 6b 3a 8f f7 b7 fd bf fa f0 bf 22
          4a 71 b2 3b 41 49 fa 62 84 e8 aa 90 d7 f7 b0 3e
        cipherSuite         Unknown value 0xc014
        compressionMethod                   NULL
      Certificate
      ServerKeyExchange
      ServerHelloDone
    

    40 3 0.0037 (0.0000) C>SV3.1(2) Alert

    level           fatal
    value           handshake_failure
    

    39 2 0.0045 (0.0030) S>CV3.1(2) Alert level fatal value handshake_failure

    39 0.0045 (0.0000) S>C TCP RST

    40 0.0037 (0.0000) C>S TCP RST

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      this does suggest the server doesn't support any of the ciphers the client is suggesting. can you double check your client ssl cipher string setting.
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      Hi Nathan, When i am accessing the backend server directly, i am able to open from the same client machine but via F5 its not. I am checking if i can do anything with ciphers. Thanks for the suggesstions, they were really helpful.
  • Could it be because of cipher suite unknown value -

    40 2 0.0036 (0.0029) S>CV3.1(3605) Handshake

      ServerHello
        Version 3.1
        random[32]=
          57 4e 87 80 a6 10 2d a8 57 77 93 4b 02 d0 a8 4b
          c6 f4 ca 77 59 b3 9c 16 57 c3 84 d1 1b c4 dd 2f
        session_id[32]=
          af 1e 00 00 b6 6b 3a 8f f7 b7 fd bf fa f0 bf 22
          4a 71 b2 3b 41 49 fa 62 84 e8 aa 90 d7 f7 b0 3e
        **cipherSuite         Unknown value 0xc014**
        compressionMethod                   NULL
    
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      also, in client hello, version is 3.0 and server hello is 3.1. could this be problem?
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      it could be, although i don't see that in the logs above. anyway, if the client is 3.0 then this is the maximum SSL version it supports i.e. SSL v3. if the server responds with 3.1 then this is telling the client it only supports tls 1.0 or above. this will be a problem