Forum Discussion

gefela_153763's avatar
gefela_153763
Icon for Nimbostratus rankNimbostratus
Aug 14, 2017

curl SSL error and external weak ciphers

I have configured a health monitor correspond to a VIP.When I do a curl test to the sites url, I get

 

Unknown SSL protocol error in connection to x.x.x.x

 

When I examined the site via ssllabs , it has multiple issues with weak ciphers ...

 

Is the weak ciphers I reason why the curl test is failing ...

 

3 Replies

  • Could you print the complete curl command ?

     

    Did you use the -k argument to ignore SSL verifications errors ?

     

  • I think its more of a handshake negotiation failure when you did a curl test. But ssllabs perform all sorts of tests from sslv3 to tls1.2 and definitely with multiple ciphers.

    So when do you a curl from your machine or even from the F5 itself, is it failing.

    Try doing, Curl to the VIP and to the backend pool members. You would know which all SSL versions the actual VIP and the backend servers really supports. Based on that compare your clientssl and serverssl profiles. You can do the same with ciphers too if version is not the problem.

    openssl s_client -connect IP:PORT -ssl3 
    openssl s_client -connect IP:PORT -tls1 
    openssl s_client -connect IP:PORT -tls1_1 
    openssl s_client -connect IP:PORT -tls1_2
    

    Or even a straight forward approach is to go with the SSLDUMP. Do a tcpdump first,

    tcpdump -npi 0.0 -vvv -s0 '(host  and  host ) or (host  and )' -w /var/tmp/ssl_test.pcap

    ssldump -nr /var/tmp/ssl_test.cap  > /var/tmp/ssl_test_results.txt

    Open /var/tmp/ssl_test_results.txt, this will show you which version and which ciphers it took during handshake (3.1 is tls1.0 and 3.3 is tls1_2)

  • Hello Gefela,

     

    You will need to create an Server SSL Profile, and customize this profile to send the FQDN using the "Server Name" option.

     

    So you only need to specify the FQDN in the "Server Name", when the F5 will initiate SSL negotiation it will send this FQDN and backends they will be happy.

     

    Could you please try it and give a feedback.

     

    Thanks