SSL Profile Handshake/Failure statistics (such fun, must look, so much question)
Hi! Fair warning, long post TLDR; = "How to decipher SSL profile statistics" Looking at the SSL profile handshake statistics and trying to decipher what they mean. It feels a bit like looking at a triple rainbow! There's more of them, but I'll focus on a few to make it manageable: Certificates/Handshakes Valid Certificates 0 Invalid Certificates 0 No Certificates 0 Mid-Connection Handshakes 0 Secure Handshakes 0 Current Active Handshakes 0 Insecure Handshakes Accepted 0 Insecure Handshakes Rejected 0 Insecure Renegotiations Rejected 0 Mismatched Server Name Rejected 0 Failures Premature Disconnects 0 Handshake Failures 0 Renegotiations Rejected 0 Aggregate Renegotiations Rejected 0 Fatal Alerts 0 Active Handshakes Rejected 0 Found some articles on the topic: Thought I really found the answer here as the "Help" tab in the web ui is generally pretty awesome. But not in this case: Certificates/Handshakes Displays certificate and SSL handshake data for Client SSL profile traffic. https://devcentral.f5.com/articles/ssl-profiles-part-1 This series is really awesome. Props to John and Jason! On to some theories (and answers from F5): Certificates/Handshakes Valid Certificates - Valid client certificates Invalid Certificates - Invalid client certificates No Certificates - No client certificate presented Mid-Connection Handshakes - Successful renegotiations show up under the "Certificates/Handshakes" heading under the "Mid-Connection Handshakes" field. Secure Handshakes - A patched client Current Active Handshakes - SSL sessions being established right now Insecure Handshakes Accepted - An unpatched client. First connection accepted (Profile is Request or Require). Insecure Handshakes Rejected - An unpatched client. First connection rejected (Profile is Request Strict). Insecure Renegotiations Rejected - An unpatched client. First renegotiation attempt rejected (Profile is Require). Failures Mismatched Server Name Rejected - ? Premature Disconnects - Session not closed gracefully Handshake Failures - Client and server not able to agree on a cipher Renegotiations Rejected - Escalated within F5 Aggregate Renegotiations Rejected - Escalated within F5 Fatal Alerts - For Fatal alert the reason can be very different, for example no common ciphers for client and server, client does not send client cert when client authentication is enabled on BigIP, maximum number of allowed handshakes configured had been reached, or timer that kicks in after 3WHS is completed and if SSL handshake does not complete after the value configured then SSL Handshake Timeout Exceeded, Fatal Alert is sent and connection is reset by BIG-IP. Active Handshakes Rejected - Currently rejected handshakes? Records In - Self explaining Out - Self explaining Bad - Escalated within F5 DTLS Tx Pushbacks - Escalated within F5 References: https://devcentral.f5.com/questions/insecure-handshakes-accepted CVE-2009-3555 more information here Any input is welcome. Together we might be able to "decipher" this. 🙂 /Patrik
