Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

VDI broke after upgrade, due to SSL errors

After upgrade from 11.6.1 to 12.1.0 HF1, one of the three VDI environments stopped working. The three VDI environments have the same clientSSL and serverSSL configuration(different profiles but same config except for the ssl certificate). VDI versions are 5.1.3, 6.2.2, 6.1.1 the 5.1.3 one broke. On BIG-IP 3900. The ciphers string on all the VIPs is/was (DEFAULT:!RSA+RC4:!ECDHE+RC4) and the no SSL option enabled.

Looked into it and got a lot of SSL errors in the LTM log, mainly DHE errors. #warning tmm3[14143]: 01260009:4: Connection error: ssl_hs_rx_srvkeyxchg:4453: weak DHE group is used (47)

So tested with curl -v to see what happened. The nodes are fine working like they should. Curl to the VIP failed with following error: error:00000000:lib(0):func(0):reason(0), errno 104

Tried different clientSSL profiles with different ciphers, none seemed to work. Even set cipherstring to ALL temporary for testing, but also failed. Finally found one cipher that seemed to work, AES128-SHA (and TLS 1.2)

It seems something with the cipher negotiation goes wrong.

Tests: curl -k -v https://VIP-IP --ciphers AES128-SHA * Connection #0 to host VIP-IP left intact * Closing connection #0

curl -k -v https://VIP-IP --ciphers (any besides AES128-SHA) * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 * Closing connection #0

But when AES128-SHA is in the cipher string with other ciphers then it wont pick AES128-SHA but just fail.

Any ideas?

0
Rate this Discussion
Comments on this Discussion
Comment made 22-Aug-2016 by boneyard 5627

just wondering, are you sure the issue in on the client side? isn't it the connections from the big-ip to the poolmembers that are failing?

0
Comment made 23-Aug-2016 by RobertS 166

I'm sure it was the VIP, the back-end is working fine. I tested the back-end with curl from the F5 and with View client and HTTPS directly to the back-end.

They use the VMWare Horizon View client and can visit the VDI sites with HTTPS. It broke for all the clients View 3 and 4. And all browsers, and curl and other tests to the VIP address.

SSLv3 was already disabled before the upgrade, and its disabled by default in BIG-IP 12.1.0. So this wasnt the cause, that clients where using sslv3 and it got disabled in 12.1.0.

The only thing I changed to fix it was, change the cipherstring from DEFAULT:!RSA+RC4:!ECDHE+RC4 to AES128-SHA (0x2f) on the clientSSL profile.

It's working now, but just with 1 cipher. Luckily this one is compatible with all browsers. But not an ideal situation of course.

0

Replies to this Discussion

placeholder+image

I had this exact problem, after upgrading from 11.6.0 HF5 to 12.1.1. I tried the AES128-SHA config mentioned, but it didn't help in my case.

Two different VDI implementations were affected, one using v1.1 of the iApp, and the other using v1.3. I fixed both by rebuilding them v1.5.1 of the iApp, using the F5 recommended SSL profile settings.

I've checked the new client SSL profile parameters, and the following are non-default:

* Ciphers = DEFAULT:!RC4:!MEDIUM:@STRENGTH
* Enabled Options = Don't insert empty fragments
* Handshake timeout = 10 seconds
* Client certificate = ignore
* Trusted Certificate Authorities = none
* Advertised Certificate Authorities = none

I'd guess that only the first three of these would have any bearing on this issue.

0
Comments on this Reply
Comment made 10-Oct-2016 by James Rodgers 153

FWIW, both use SSL bridging.

0
placeholder+image

we had issues with our vdi environment after upgrading to 12.1.1. This was most likely due to the security server not accepting the new DEFAULT ciphers from bigip, as we are using ssl bridging. i changed the ssl server profile to insecure-compatible, which doesnt use DEFAULT, and the problem was solved.

0
Comments on this Reply
Comment made 06-Feb-2017 by julian.coleman36 0

This is likely due to TLS vulnerability CVE-2015-4000.

https://support.f5.com/csp/article/K16674

BIGIP v12 no longer considers the DHE cipher suites secure (server-side) due to the downgrade attack.

Add a '!DHE' statement to your server-side SSL profiles.

Ex.

    [juli8279@lb-689684:Active:In Sync] ~ # tmm --clientciphers 'AES-GCM+DHE:AES-GCM+ECDHE'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
     1:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
     2: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
     3: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA

    [juli8279@lb-689684:Active:In Sync] ~ # tmm --clientciphers 'AES-GCM+DHE:AES-GCM+ECDHE:!DHE'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
     1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
1