ServerSSL profile issues after upgrade to v11.4.1
Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve.
Basically one of my ServerSSL profiles is failing after upgrade.
If I remove the profile everything works as expected.
The profile before change looks like this:
profile serverssl PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {
defaults from serverssl ca file "ISOSEM.crt" ciphers "HIGH:MEDIUM:!SSLv2:!ADH" options dont insert empty fragments renegotiate enable renegotiate period indefinite renegotiate size indefinite peer cert mode require authenticate once authenticate depth 9 authenticate name "hci3syst01.internal.company.com" unclean shutdown enable handshake timeout 60 alert timeout 60 cache size 20000 cache timeout 300The profile after change looks like this:
ltm profile server-ssl /SOA/PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL { alert-timeout 60 app-service none authenticate once authenticate-depth 9 authenticate-name hci3syst01.internal.company.com ca-file /Common/ISOSEM.crt cache-size 20000 cache-timeout 300 ciphers DEFAULT:!TLSv1_1:!TLSv1_2 defaults-from /Common/serverssl handshake-timeout 60 options { dont-insert-empty-fragments } peer-cert-mode require renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require unclean-shutdown enabledI had to change the ciphers as I was seeing following errors in log when trying to connect:
Jun 9 10:14:44 bipscint2 warning tmm[13423]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.31.100.195:443 Jun 9 10:14:44 bipscint2 info tmm[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62326 to 172.31.100.195:443After changing ciphers I am now just getting:
Jun 9 10:12:40 bipscint2 info tmm1[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62163 to 172.31.100.195:443I also changed the secure-renegotiation to require-strict to request (as I have seen issues with this)
I have tried numerous Cipher settings and none have been successful.
When I run a SSLDump I get the following:
New TCP connection 1: 172.31.81.95(62005) <-> server.internal.company.com(443)
1 1 0.0013 (0.0013) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc012
Unknown value 0xff
compression methods
NULL
1 2 0.0027 (0.0014) S>C Alert
level fatal
value handshake_failure
1 0.0031 (0.0003) S>C TCP FIN
10.0032 (0.0001) C>S TCP RST
I know it looks like it’s server problem but this did work on version 10.2.4
Cipher combinations I have tried (in no particular order)
DEFAULT:!TLSv1_1:!TLSv1_2:TLSv1
RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1 RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2 TLSv1 TLSv1:DEFAULT HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2 HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2 RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1 RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2 TLSv1The server is only configured to allow RC4-MD5 ciphers.
However even putting this in still generates same error messageAny ideas?