Vikky_193911
Nov 11, 2018Altostratus
Pleasing the client with CIPHER?
Dear DevCentral people,
Can't find the proper CIPHER for clients connecting via TLS1.1 and TLS1.0 to prevent numerous handshake_failure on VS:443. I can't control clients, they are plain web browsers.
VS is configured with DEFAULT Cipher (latest v13.1).
ssldump shows following cases for TLS v1.1 and then TLS v1.0:
New TCP connection 145: CLIENT_1(59237) <-> LB_VS(443)
145 1 0.0451 (0.0451) C>S Handshake
ClientHello
Version 3.2
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x5600
compression methods
NULL
145 2 0.0451 (0.0000) S>C Alert
level fatal
value handshake_failure
145 0.0451 (0.0000) S>C TCP FIN
145 0.0913 (0.0462) C>S TCP FIN
New TCP connection 48: CLIENT_2(52795) <-> LB_VS(443)
48 1 0.0512 (0.0512) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Unknown value 0x5600
compression methods
NULL
48 2 0.0512 (0.0000) S>C Alert
level fatal
value handshake_failure
48 0.0512 (0.0000) S>C TCP FIN
48 0.1029 (0.0516) C>S TCP FIN
Is there any help with this?
While here -- how BIG-IP counts these under client-ssl statistics; as Handshake Failures or Fatal Alerts?
Thank you!