Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Jun 09, 2014

ServerSSL profile issues after upgrade to v11.4.1

Hi. I am in processing of upgrading from 10.2.4HF5 to 11.4.1HF3 and have hit a problem that i cannot resolve.

Basically one of my ServerSSL profiles is failing after upgrade.

If I remove the profile everything works as expected.

The profile before change looks like this:

profile serverssl PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {

defaults from serverssl

ca file "ISOSEM.crt"

ciphers "HIGH:MEDIUM:!SSLv2:!ADH"

options dont insert empty fragments

renegotiate enable

renegotiate period indefinite

renegotiate size indefinite

peer cert mode require authenticate once

authenticate depth 9

authenticate name "hci3syst01.internal.company.com"

unclean shutdown enable

handshake timeout 60

alert timeout 60

cache size 20000

cache timeout 300

The profile after change looks like this:

ltm profile server-ssl /SOA/PROFILE_SYST_WASHCI3_INTERNAL_LIVE_SERVERSSL {

alert-timeout 60

app-service none

authenticate once

authenticate-depth 9

authenticate-name hci3syst01.internal.company.com

ca-file /Common/ISOSEM.crt

cache-size 20000

cache-timeout 300

ciphers DEFAULT:!TLSv1_1:!TLSv1_2

defaults-from /Common/serverssl

handshake-timeout 60

options { dont-insert-empty-fragments }

peer-cert-mode require

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation require

unclean-shutdown enabled

I had to change the ciphers as I was seeing following errors in log when trying to connect:

Jun 9 10:14:44 bipscint2 warning tmm[13423]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.31.100.195:443

Jun 9 10:14:44 bipscint2 info tmm[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62326 to 172.31.100.195:443

After changing ciphers I am now just getting:

Jun 9 10:12:40 bipscint2 info tmm1[13423]: 01260013:6: SSL Handshake failed for TCP from 172.31.81.95:62163 to 172.31.100.195:443

I also changed the secure-renegotiation to require-strict to request (as I have seen issues with this)

I have tried numerous Cipher settings and none have been successful.

When I run a SSLDump I get the following:

New TCP connection 1: 172.31.81.95(62005) <-> server.internal.company.com(443)  
1 1  0.0013 (0.0013)  C>S  Handshake  
      ClientHello  
        Version 3.1   
        cipher suites  
        TLS_RSA_WITH_RC4_128_SHA  
        TLS_RSA_WITH_AES_128_CBC_SHA  
        TLS_RSA_WITH_AES_256_CBC_SHA  
        TLS_RSA_WITH_3DES_EDE_CBC_SHA  
        Unknown value 0xc013  
        Unknown value 0xc014  
        Unknown value 0xc012  
        Unknown value 0xff  
        compression methods  
                  NULL  
1 2  0.0027 (0.0014)  S>C  Alert  
    level           fatal  
    value           handshake_failure  
1    0.0031 (0.0003)  S>C  TCP FIN  

10.0032 (0.0001) C>S TCP RST

I know it looks like it’s server problem but this did work on version 10.2.4

Cipher combinations I have tried (in no particular order)

DEFAULT:!TLSv1_1:!TLSv1_2:TLSv1

RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1

RC4-SHA:DEFAULT:!TLSv1_1:!TLSv1_2

TLSv1

TLSv1:DEFAULT

HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2

HIGH:MEDIUM:!SSLv2:!ADH:!TLSv1_1:!TLSv1_2

RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2:!TLSv1

RC4-MD5:DEFAULT:!TLSv1_1:!TLSv1_2

TLSv1

The server is only configured to allow RC4-MD5 ciphers.

However even putting this in still generates same error message

Any ideas?

29 Replies