Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Mar 04, 2017

Connection error: ssl_hs_rxhello:7295: unsupported version (40)

Hi All,

 

I am using F5 LTM 5050 with Tmos 11.5.4. Https is offloaded on F5 virtual server. Default ciphers are used. I tried client-insecure-compatible profile as well. Still handshake fails with below log.

 

Connection error: ssl_hs_rxhello:7295: unsupported version (40)

 

Just to let you know PKI server is not accessible right now from client nor server but that should be an issue for SSL handshake fail right?

 

application delivery
LTM

2 Replies

Sort By
  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Mar 05, 2017

    Hi,

     

    Could you post the output of an ssldump?

     

    Commands are: tcpdump -vvv -s 0 -nni any -w /var/tmp/www-ssl-client.cap host and port 443

     

    ssldump -nr /var/tmp/www-ssl-client.cap

     

    The SSL records printed by the ssldump utility appear similar to the following:

     

    New TCP connection 2: 172.16.31.22(32866) <-> 192.168.1.8(8389) 2 1 0.0002 (0.0002) C>S Handshake ClientHello Version 3.0

     

    Cheers,

     

    Kees

     

  • Stephane_Viau's avatar
    Stephane_Viau
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2017

    Muhammad,

     

    Is your client really old? Because if it is, it's possible that it only supports SSLv2. Closest I have to 11.5.4 is 11.6.0 and in this version client-insecure-compatible does not support SSLv2. So a client trying to connect with SSLv2 should be dropped by the Big-IP, although I'm not sure if it would match the error message that you see. If you want to try it, go into the client-insecure-compatible profile and make sure that SSLv2 is enabled (remove !SSLv2 from the cipher list).

     

    Just be advised that this is not something that you want to do if your Virtual Server can be reached from a hostile network like the public Internet :)