Forum Discussion

Emad's avatar
Emad
Icon for Cirrostratus rankCirrostratus
Apr 22, 2014

SSL handshake Failure

one of my VIP were using ssl profiles, I updated ciphers in my ssl profile not to use RC4 and then changes were reverted to default. but after that i am unable to open that site in browser. After checking SSL dump i can see ssl handshake failure. i.e New TCP connection 4: 172.16.2.83(55847) <-> 199.96.220.18(6443) 4 1 1398154000.3027 (0.3390) C>SV3.1(114) Handshake ClientHello Version 3.1 random[32]= 53 56 23 77 70 87 2f d4 74 d1 e7 b0 ac 3d 16 ab 18 6d 3e 14 e6 1b bb 28 c1 87 0c 7d 33 0f 9c 0d cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013 Unknown value 0xc014 Unknown value 0xc009 Unknown value 0xc00a TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA compression methods NULL 4 2 1398154000.3027 (0.0000) S>CV3.1(2) Alert level fatal value handshake_failure 4 1398154000.3028 (0.0000) S>C TCP FIN 4 1398154000.6416 (0.3388) C>S TCP FIN

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
LTM
security
TMOS

12 Replies

Sort By
Show More
  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus
    Apr 22, 2014

    Now CIPHER Set is changed to 

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256

    I am unable to understand even RC4 was included, why it was not working. Can you guide.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 22, 2014

    You specified RC4 in your client SSL cipher string and, it would seem, never changed that.

    RC4:!SSLv2:!EXPORT40:!EXP:!LOW

    This cipher list represents the server's cipher capability, and since the client wasn't presenting any RC4 ciphers, the session was terminated. Changing the cipher string back to "DEFAULT" would have solved that problem.