Combine SSL Handshake failed messages with cause

Question

Hello, &nbsp;
if an SSL Handshake fails the F5 LTM creates for example the following log entry&nbsp;
info tmm1[11382]: 01260013:6: SSL Handshake failed for TCP S_IP:S_Port -&gt; Dest_IP:Dest_Port&nbsp;
and for example&nbsp;
warning tmm1[11382]: 01260009:4: Connection error: ssl_hs_rxhello:8519: unsupported version (70)&nbsp;
This makes it difficult to query the cause of the ssl handshake error. If I query our log server with query criteria “source ip of our the specific customer” to find out why the ssl handshake has failed, I only find the SSL Handshake failed message. &nbsp;
Would it be possible to combine both messages like this way? &nbsp;
info tmm1[11382]: 01260013:6: SSL Handshake failed for TCP S_IP:S_Port -&gt; Dest_IP:Dest_Port Connection error: ssl_hs_rxhello:8519: unsupported version (70)&nbsp;
This request is similar to any other ssl related messages like 
certificate revoked (44)certificate expired (45)
… &nbsp;
This may be realized by an iRule, but I think it would be more useful to change this behavior by default. &nbsp;
Best regards &nbsp;
Bjoern&nbsp;

bjoern-30_35567 · Answer

I have written an iRule to generate different log messages to solve this problem, but it doesn't work, because of the restrictive settings in the ssl profile. 
While accessing the vs with tls 1.0 i get no log message from this iRule. The same happens while accessing with weak ciphers / ciphers, which are not configured in the ssl profile. 
Accessing with tls 1.2 and a supported cipher suite and no client certificate generates the right log message. 
when CLIENTSSL_CLIENTHELLO {
         Initiale Variablenzuweisung 
        set ssl_ciphers_ok  0
        set count_cmd "SSL::cert 0"
        set verify_cmd "SSL::verify_result"
        set failure_cmd "X509::verify_cert_error_string"

log local0.info " [IP::client_addr] [SSL::cipher name] [SSL::cipher version] "

Checking TLS-Version
    if {[SSL::cipher version] ne "TLSv1.2" }  { 
        log local0.info " Client [IP::client_addr] no TLS 1.2 accessing [virtual]." 
        drop
        }

Checking cipher suites
    if {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDHE-RSA-AES128-GCM-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDH-RSA-AES256-GCM-SHA384" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDH-RSA-AES128-GCM-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "DHE-RSA-AES256-GCM-SHA384" }   {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "DHE-RSA-AES128-GCM-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDHE-RSA-AES256-GCM-SHA384" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDHE-RSA-AES128-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "DHE-RSA-AES256-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "DHE-RSA-AES128-SHA256" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDH-RSA-AES256-SHA384" }  {
        set ssl_ciphers_ok  1
    } elseif {[SSL::cipher name] == "ECDH-RSA-AES128-SHA256" }  {
        set ssl_ciphers_ok  1
    } else { 
        set ssl_ciphers_ok 0
        log local0.info " Client [IP::client_addr] offers no supported Cipher Suites accessing [virtual]." 
       drop
        reject
    }
}

when CLIENTSSL_CLIENTCERT {
     Is there a client cert present?
    catch {eval $count_cmd} count_result
    if {$count_result == ""} {
        log local0.info "Client [IP::client_addr] has send no Client Certificate accessing [virtual].'"
        drop
        reject
    } elseif {$count_result ne ""} {
        catch {eval $verify_cmd} verify_result
        log local0.info  "Client [IP::client_addr] $verify_result"
        if { $verify_result ne 0 } {
            catch {eval $failure_cmd $verify_result } failure_result
            if {$static::CatchSSLErrorsDebug == 1} { log local0.info "Client [IP::client_addr] X509::verify_cert_error_string value is... '$failure_result'" }
            drop
            reject
        }
    }
}

stanislas_piro2 · Answer

I am wondering what is the output of [SSL::cipher name]in CLIENTSSL_CLIENTHELLO 
event
In this event, the client send a list of ciphers, not only one.
same for the TLS version. 
if the client support TLS 1.1, the client send a TLS packet with version 1.0 (0x0301) with handshake version of 1.1 (0x0302)if the client support TLS 1.2, the client send a TLS packet with version 1.0 (0x0301) with handshake version of 1.2 (0x0303)if the client support TLS 1.3, the client send a TLS packet with version 1.0 (0x0301) with handshake version of 1.2 (0x0303) and with supported_version extension of 1.3 (0x0304 for approved TLS 1.3 client, 0x7FXX for TLS 1.3 draft compatible clients)
the output of log local0.info " [IP::client_addr] [SSL::cipher name] [SSL::cipher version]" should be interesting

Forum Discussion

Combine SSL Handshake failed messages with cause

2 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

SSL Profiles Part 1: Handshakes

FIX Message Response

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Modern APM Message Box

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP