SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile "

Question

I recently moved an HTTPS Virtual Server from an old LTM (running 9.3.1) to a new pair of load balancers running 11.4.1.  This particular Virtual Server is using both a client SSL profile and a server SSL profile, pointing at a pool with a single node.  Everything seems to be working with my various browser testing.  However, I'm seeing log lines in /var/log/ltm such as the following:&nbsp;
Nov  7 08:10:33 bigip7 err tmm4[12863]: 01260014:3: Cipher 16:2 negotiated is not configured in profile /Common/MyClientSSLProfile.&nbsp;
Nov  7 08:21:44 bigip7 err tmm3[12863]: 01260014:3: Cipher 16:2 negotiated is not configured in profile /Common/MyServerSSLProfile.&nbsp;
Both of the above SSL Profiles utilize the "DEFAULT" cipher list.  So, my assumption is that some clients are hitting this Virtual Server and are presenting a cipher that the DEFAULT cipher list doesn't include.&nbsp;
Can anyone decode what the "Cipher 16:2" (there are others... "Cipher 4:3", "Cipher 16:3", "Cipher 4:2" etc.) notation means - is it specific to the lines you see when you issue "tmm -clientciphers 'DEFAULT'" or "tmm -serverciphers 'DEFAULT'"?&nbsp;
I'm not sure that anything is really wrong here, but I am concerned that we might be trashing some SSL connections (doing a tcpdump of the traffic, and correlating times when the above /var/log/ltm errors get logged, then looking up the source IP address and correlating the timestamp to the Apache logfiles shows me most of these hits are to the webserver and doing a "GET /") - clearly not all SSL transactions are throwing the /var/log/ltm errors - just some.&nbsp;
Thanks for any insight anyone may have.&nbsp;
Joe

kevin_k_51432 · Accepted Answer

I don't believe that cipher message is going to map to a specific cipher and I've only ever seen it when the Proxy SSL is configured. Is that a feature you've enabled? &nbsp;
Enabling debug logging for SSL might help, just remember to set it back when done.&nbsp;
tmsh modify sys db log.ssl.level value debug&nbsp;
tmsh modify sys db log.ssl.level value warning&nbsp;
Just a guess; Proxy SSL is enabled and the backend server is using a cipher which isn't in BIG-IP's DEFAULT cipher list. Just some additional background:&nbsp;
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13389.html&nbsp;

joe_volesky_969 · Answer

Thanks for your reply, and that link to the KB article.&nbsp;
I do have "Proxy SSL" enabled on both SSL profiles - this is kind of new to me, though- on the 9.3.1 platform, this didn't exist, but it seems like the only way I could get the same functionality on 11.4.1. Frankly, this is a simple setup:&nbsp;
2 backend Web servers A and B. There's a single virtual server for port 80 requests and a single virtual server for port 443 requests. There's an iRule in place on the port 80 VS which simply does "when http request, if URI = (a number ofthings) send it to node A, otherwise send it to B". The port 443 VS has a pool associated with it which only includes Server B - all SSL traffic is sent to Server B.&nbsp;
While I have things set up to do x-forwarded-for on the SSL Virtual Server I don't even know that I care to have that functionality - which raises the question of why I'm doing Proxy SSL at all. The "Server B" webserver has the SSL certificate, key, root CA, intermediate certificates just as the F5 does; maybe I'm making this more complicated, and should configure the SSL Virtual server to simply connect the client directly to Server B for all SSL traffic. I'm just not sure I know how to do that - seems like Proxy SSL is the only way I could get it to work...&nbsp;

kevin_k_51432 · Answer

You're welcome. On the surface it doesn't appear you really need the Proxy SSL feature. I would consider using Proxy SSL for instances where you need to leverage an optimization feature like cookies, iRules, compression, etc. Another benefit is passing some larger object like client SSL certificate to the backend server. You could most likely either terminate the Certificate / Key on the BIG-IP or simply pass the 443 straight through.

joe_volesky_969 · Answer

Yeah, I want to pass the traffic straight through (for what are likely dumb reasons, I can't terminate SSL on the BIG-IP due to the way Apache is configured on Server B - it's a server I don't run, is old, and needs to do its own SSL stuff, apparently).  I guess I'll play with other configurations that don't use the Proxy SSL feature and see where I end up.
Thanks again.
- Joe&nbsp;

kevin_k_51432 · Answer

A simple Performance Layer 4 is probably all you need to pass the TCP/443 traffic along.&nbsp;
http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14163&nbsp;

neeraj_jags_152 · Answer

Hi ,&nbsp;
I am too getting these messages like below.
 Cipher 4:3 negotiated is not configured in profile /scms_partition/CRM-.app/CRM. &nbsp;
I am not sure why this , Log level -err, &nbsp;

Forum Discussion

SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

iRule to decode WebSocket negotiation and frames

Cipher negotiated between F5 and Node

Adding Cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA"