SERVER SSL profile ciphers work fine, but not HTTPS monitor
Hi,
I'm currently implementing an LTM config with a virtual server pointing to a real server which only supports TLS 1.0 and old ciphers.
I managed to get it working using the following config :
-
ServerSSL profile : based on serverssl-insecure-compatible, cipher list : !SSLv2:!TLSv1_2:!TLSv1_1:!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED (I had to disable TLS v1.1 and 1.2 because the client hello used SSL version 3.3 and the server sent a fatal alert for incompatible protocol version)
-
HTTPS monitor :
- Send String : GET /mypath/ HTTP/1.1\r\nHost: mysite.com\r\nConnection: close\r\n\r\n
- Receive string : 302 Moved temporarily (the site redirects unauthenticated sessions to the authentication portal)
- cipher list : AES-256-SHA
I ran a script to determine supported ciphers on the server and found the following : Testing AES256-SHA...YES Testing AES128-SHA...YES Testing ADH-DES-CBC3-SHA...YES Testing ADH-DES-CBC-SHA...YES Testing EXP-ADH-DES-CBC-SHA...YES Testing ADH-RC4-MD5...YES Testing EXP-ADH-RC4-MD5...YES Testing EDH-RSA-DES-CBC3-SHA...YES Testing EDH-RSA-DES-CBC-SHA...YES Testing EXP-EDH-RSA-DES-CBC-SHA...YES Testing DES-CBC3-SHA...YES Testing DES-CBC-SHA...YES Testing EXP-DES-CBC-SHA...YES Testing RC4-SHA...YES Testing RC4-MD5...YES Testing EXP-RC4-MD5...YES Testing EXP-RC4-MD5...YES Testing RC4-MD5...YES
When my HTTPS monitor is set with AES-256-SHA as a cipher list, I can connect. However, I'd like to be less specific than that because I don't want the monitor to fail because the sysadmin or application admin upgraded to a newer version or changes the list of supported ciphers. But when I use the same cipher list that I used in the SSL server profile, it fails...
Any idea why ?
Enabling bigd.debug only showed : unable to connect; giving up [ addr=::ffff:x.x.x.x:yyyy srcaddr=::ffff:a.a.a.a:bbbb ]
and ssldump shows a successful SSL negociation with Application data. I don't have access to the server's private key so I can't decrypt.
Thanks in advance for any hint or explanation.
Tom