Forum Discussion

adiezma_1656's avatar
adiezma_1656
Icon for Nimbostratus rankNimbostratus
Mar 14, 2013

Monitor HTTPS on Version 11

Hi,

 

 

I upgraded to an F5 LTM version 11.2.1 HF4, from version 10.2.0

 

I have a problem with multiple monitors in Pools with members to port 4443.

 

The monitor is as follows:

 

Type: HTTPS

 

Send String: GET / test / index.html HTTP/1.1 \ r \ nHost: 10.X.XXX.XX: 4443 \ r \ n \ r \ n

 

Recive string: 200

 

Cipher list: DEFAULT: + SHA + DES +3 kEDH

 

 

Any idea what might be going to not work in version 11?

 

Thanks a lot!

 

A. DIEZMA

 

management
monitoring

6 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 14, 2013
    i think the send string is correct. have you tried ssldump?
  • adiezma_1656's avatar
    adiezma_1656
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2013

    I have not tried. In version 10 it's worked but not in version 11.2.1.

     

    Thanks!

     

     

  • adiezma_1656's avatar
    adiezma_1656
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2013
    Hi;

     

    I modified the monitor with this:

     

     

    GET /test/index.html HTTP/1.1\r\nHost: 10.8.138.21:4443\r\nConnection: Close\r\n\r\n

     

     

    but, not works...**bleep**! hahaha I'm going mad...

     

     

    The openssl probe is correct:

     

     

    openssl s_client -connect 10.8.138.21%3:4443

     

    CONNECTED(00000003)

     

    depth=1 /C=ES/O=FNMT/OU=FNMT Clase 2 CA

     

    verify error:num=19:self signed certificate in certificate chain

     

    verify return:0

     

    ---

     

    Certificate chain

     

    0 s:/C=ES/O=FNMT/OU=FNMT Clase 2 CA/OU=BLABLA/OU=00000000/CN=xxx.yyy.zzz.eee.ccc

     

    i:/C=ES/O=FNMT/OU=FNMT Clase 2 CA

     

    1 s:/C=ES/O=FNMT/OU=FNMT Clase 2 CA

     

    i:/C=ES/O=FNMT/OU=FNMT Clase 2 CA

     

    ---

     

    Server certificate

     

    -----BEGIN CERTIFICATE-----

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==

     

    -----END CERTIFICATE-----

     

    subject=/C=ES/O=FNMT/OU=FNMT Clase 2 CA/OU=BLABLA/OU=00000000/CN=xxx.yyy.zzz.eee.ccc

     

    issuer=/C=ES/O=FNMT/OU=FNMT Clase 2 CA

     

    ---

     

    No client certificate CA names sent

     

    ---

     

    SSL handshake has read 1960 bytes and written 351 bytes

     

    ---

     

    New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

     

    Server public key is 1024 bit

     

    Secure Renegotiation IS NOT supported

     

    Compression: NONE

     

    Expansion: NONE

     

    SSL-Session:

     

    Protocol : SSLv3

     

    Cipher : DES-CBC3-SHA

     

    Session-ID: FXXXXXXXXXXXXBEXXXXXXXXC

     

    Session-ID-ctx:

     

    Master-Key: XXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXXXXXX

     

    Key-Arg : None

     

    Start Time: 1366801496

     

    Timeout : 300 (sec)

     

    Verify return code: 19 (self signed certificate in certificate chain)

     

    ---

     

    GET /test/index.html HTTP/1.1

     

    Host: 10.8.138.15:4443

     

     

     

     

    HTTP/1.1 200 OK

     

    ETag: "17b9a-2f-4a49e886"

     

    Content-Type: text/html

     

    Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.0 (N;ecid=325862908542,0)

     

    Last-Modified: Tue, 30 Jun 2009 10:27:18 GMT

     

    Content-Length: 47

     

    Date: Wed, 24 Apr 2013 11:05:01 GMT

     

    Accept-Ranges: bytes

     

     

    almendra1 10.1.3. OK

     

     

     

    closed

     

     

     

    Any idea???????

     

     

    A. Diezma
  • adiezma_1656's avatar
    adiezma_1656
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2013
    Hi;

     

    I modified the monitor with this:

     

     

    GET /test/index.html HTTP/1.1\r\nHost: 10.8.138.21:4443\r\nConnection: Close\r\n\r\n

     

     

    but, not works...**bleep**! hahaha I'm going mad...

     

     

    The openssl probe is correct:

     

     

     openssl s_client -connect 10.8.138.21%3:4443
CONNECTED(00000003)
depth=1 /C=ES/O=FNMT/OU=FNMT Clase 2 CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=ES/O=FNMT/OU=FNMT Clase 2 CA/OU=BLABLA/OU=00000000/CN=xxx.yyy.zzz.eee.ccc
i:/C=ES/O=FNMT/OU=FNMT Clase 2 CA
1 s:/C=ES/O=FNMT/OU=FNMT Clase 2 CA
i:/C=ES/O=FNMT/OU=FNMT Clase 2 CA
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
-----END CERTIFICATE-----
subject=/C=ES/O=FNMT/OU=FNMT Clase 2 CA/OU=BLABLA/OU=00000000/CN=xxx.yyy.zzz.eee.ccc
issuer=/C=ES/O=FNMT/OU=FNMT Clase 2 CA
---
No client certificate CA names sent
---
SSL handshake has read 1960 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DES-CBC3-SHA
Session-ID: FXXXXXXXXXXXXBEXXXXXXXXC
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Start Time: 1366801496
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
GET /test/index.html HTTP/1.1
Host: 10.8.138.15:4443



HTTP/1.1 200 OK
ETag: "17b9a-2f-4a49e886"
Content-Type: text/html
Server: Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.0 (N;ecid=325862908542,0)
Last-Modified: Tue, 30 Jun 2009 10:27:18 GMT
Content-Length: 47
Date: Wed, 24 Apr 2013 11:05:01 GMT
Accept-Ranges: bytes


almendra1 10.1.3. OK




closed

     

     

     

    Any idea???????

     

     

    A. Diezma
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 26, 2013
    I'd suggest you remove :4443 I don't see the need for it at all if the monitor is sending the request to the correct port
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 28, 2013
    I modified the monitor with this:

     

     

    GET /test/index.html HTTP/1.1\r\nHost: 10.8.138.21:4443\r\nConnection: Close\r\n\r\n

     

     

    but, not works...Damn! hahaha I'm going mad...

     

     

    The openssl probe is correct: have you tried tcpdump/ssldump on the health monitor traffic? what was it different from the openssl s_client?