Forum Discussion

tdsacilowski_17's avatar
tdsacilowski_17
Icon for Nimbostratus rankNimbostratus
Dec 10, 2014

HTTPS Monitor fails after disabling SSLv3 on Tomcat 7 (APR connector)

I'm currently in the process of upgrading my Tomcat servers to Tomcat 7 using the APR connector with SSLv3 disabled. Here is my connector:

Everything seems to be working properly... e.g. going to a page via HTTPS serves up that page correctly. However, we're using an F5 load balancer and as soon as I disabled SSLv3, the configured health monitor started failing for that node/port. After some troubleshooting on the F5 side, I decided to try to diagnose with OpenSSL:

$ openssl s_client -connect casrept2.tc.columbia.edu:8443/cas/monitor.jsp
CONNECTED(00000003)
write:errno=54

Doing the same, but forcing TLSv1 (-tls1), I'm able to connect properly:

$ openssl s_client -connect casrept2.tc.columbia.edu:8443/cas/monitor.jsp -tls1
CONNECTED(00000003)
... cert chain, etc, etc

I'm wondering if that's what's causing the health monitor to fail. Either way though, I'm curious why I need to specifically force -tls1 for this to work. I would assume it should auto-negotiate the correct protocol?

This is the cipher list for the corresponding SSL client profile:

DEFAULT:!RC4:!SSLv3

And the one for the monitor:

DEFAULT

And finally, my SEND string:

GET /cas/monitor.jsp\r\n

Any ideas? Thanks!

application delivery
LTM

6 Replies

Sort By
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Dec 11, 2014
    Which version of BIG-IP are you running?
  • tdsacilowski_17's avatar
    tdsacilowski_17
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014
    Dammit... the one important thing I forgot to include... we're on 10.2.1 and will be upgrading to 10.2.4 in January to add TLS 1.2 support.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 11, 2014

    can you try ssldump monitor traffic?

     ssldump -Aed -nni 0.0 host x.x.x.x and host y.y.y.y and port zzz
x.x.x.x is non-floating self ip on pool member vlan
y.y.y.y is pool member ip
zzz is pool member port

    i do see tls 1.0 (version 3.1) on 10.2.4 unit here.

     configuration

[root@ve10a:Active] config  tmsh list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:https {
            session monitor-enabled
        }
    }
    monitor myhttps
}
[root@ve10a:Active] config  tmsh list ltm monitor https myhttps
ltm monitor https myhttps {
    cipherlist "DEFAULT"
    compatibility "enabled"
    defaults-from https
    interval 5
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}

 ssldump

[root@ve10a:Active] config  ssldump -Aed -nni 0.0 host 200.200.200.101 and port 443
New TCP connection 1: 200.200.200.15(47647) <-> 200.200.200.101(443)
1 1  1418277963.7661 (0.0021)  C>SV3.1(98)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          54 89 34 4b 5f 01 b2 f2 78 40 27 65 6e 21 b7 0b
          dc 7a 94 61 92 36 dc 23 ad 81 b4 a4 d0 31 da 1a
        resume [32]=
          c7 09 9b ad 17 b5 09 e7 78 c1 91 91 87 64 a9 42
          69 1b 87 60 ed 45 fd d2 39 97 41 6b 19 4d e8 c5
        cipher suites
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        Unknown value 0xff
        compression methods
                unknown value
                  NULL
  • tdsacilowski_17's avatar
    tdsacilowski_17
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014

    Seems to be an issue with the Tomcat APR connector. I switched to NIO and added the following in my connector config:

    sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"

    Once I made this change the monitor kicked in immediately. Specifically, it seems that the issue is with the SSLv2Hello handshake. When I removed it from my config the monitor stopped working. This tells me the monitor is relying on the SSLvHello handshake. Is there any way to force the monitor to use TLSv1 instead? I tried specifying that in the cipher list but it didn't seem to help.

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 11, 2014

    it seems we turn off sslv2 since 10.2.4 (ID222483). i am not aware of a way to force tlsv1 unless we are using external monitor.

     

    ID222483 - [RFE] Add way to force bigd to send TLSv1/SSLv3 Client Hello instead of SSLv2

     

  • Mike_Dayton_108's avatar
    Mike_Dayton_108
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2015
    Monitors are run out of OpenSSL. If you want to run 10.2.4, you need HF10 to disable SSLv3 for monitors. You can verify my comment with the command openssl ciphers -v 'ALL:!SSLv2' If all you see is SSLv3, then you know you cannot turn off SSLv3 expecting TLS monitors.