Forum Discussion
Vikky_193911
Nov 12, 2018Altostratus
Below is ssldump from BIG-IP; client offers TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and there is the very same Cipher in DEFAULT and yet it is handshake_failure all the way.
New TCP connection 559: CLIENT_3(42790) <-> LB_VS(443)
559 1 0.0477 (0.0477) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_FALLBACK_SCSV
compression methods
NULL
extensions
renegotiation_info
server_name
extended_master_secret
SessionTicket
status_request
Unknown extension (0x3374)
signed_certificate_timestamp
application_layer_protocol_negotiation
Unknown extension (0x7550)
ec_point_formats
supported_groups
559 2 0.0477 (0.0000) S>C Alert
level fatal
value handshake_failure
559 0.0477 (0.0000) S>C TCP FIN
559 0.0480 (0.0003) C>S TCP RST
tmm --serverciphers 'DEFAULT' | grep ECDHE-ECDSA-AES256-SHA
34: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1 Native AES SHA ECDHE_ECDSA
35: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 Native AES SHA ECDHE_ECDSA
36: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 Native AES SHA ECDHE_ECDSA
37: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA