2 way ssl between LMT 11.3HF10 and LTM 11.6

Question

Hello,
We have this problem when we are trying to make 2 way ssl connection between two F5 LTM device. The one which starts the connection is LTM 11.3HF10 and destination has LTM 11.6. The problem is that SSL-connection wont establish. Both are using default chiphers and connection fails at SSL-handshake. If we take 2 way away and use only 1 way, it works no probs.
This is TCP dump from 11.6 device (had to mask a little):
New TCP connection 1: XXX.XXX.XXX.XXX(XXXXX) &lt;-&gt; YYY.YYY.YYY.YYY(YYYYY)
1 1  0.0011 (0.0011)  C&gt;SV3.1(57)  Handshake
      ClientHello
        Version 3.1 
        random[32]=
          ...
        cipher suites
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xff
        compression methods
                  NULL
1 2  0.0011 (0.0000)  S&gt;CV3.1(81)  Handshake
      ServerHello
        Version 3.1 
        random[32]=
          ...
        session_id[32]=
          ... 
        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
        compressionMethod                   NULL
1 3  0.0011 (0.0000)  S&gt;CV3.1(2985)  Handshake
      Certificate
        Subject
        ...
        Issuer
        ...
        Serial         ...
        Extensions
          Extension: X509v3 Subject Alternative Name
          Extension: X509v3 Basic Constraints
          Extension: X509v3 Key Usage
                    Critical
          Extension: X509v3 Extended Key Usage
          Extension: X509v3 Certificate Policies
          Extension: X509v3 Authority Key Identifier
          Extension: X509v3 CRL Distribution Points
          Extension: Authority Information Access
          Extension: 1.3.6.1.4.1.11129.2.4.2
        Subject
        ...
        Issuer
        ... 
        Extensions
          Extension: Authority Information Access
          Extension: X509v3 Basic Constraints
                    Critical
          Extension: X509v3 Certificate Policies
          Extension: X509v3 CRL Distribution Points
          Extension: X509v3 Key Usage
                    Critical
          Extension: X509v3 Subject Alternative Name
          Extension: X509v3 Subject Key Identifier
          Extension: X509v3 Authority Key Identifier
1 4  0.0011 (0.0000)  S&gt;CV3.1(302)  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_types                 unknown value
        certificate_authority
          ...
        certificate_authority
          ...
1 5  0.0011 (0.0000)  S&gt;CV3.1(4)  Handshake
      ServerHelloDone
1 6  0.0031 (0.0019)  C&gt;SV3.1(7)  Handshake
      Certificate
1 7  0.0031 (0.0000)  C&gt;SV3.1(262)  Handshake
      ClientKeyExchange
        EncryptedPreMasterSecret[256]=
          ... 
1 8  0.0031 (0.0000)  C&gt;SV3.1(1)  ChangeCipherSpec
1 9  0.0031 (0.0000)  C&gt;SV3.1(48)  Handshake
1 10 0.0032 (0.0000)  S&gt;CV3.1(2)  Alert
    level           fatal
    value           handshake_failure
1    0.0032 (0.0000)  S&gt;C  TCP FIN
1    0.0044 (0.0012)  C&gt;S  TCP RST

Does anyone have any idea how should we setup chiphers or some other settings in ssl-profiles to get this connection working with 2-way SSL. In Source side (LTM 11.3HF10) we serverssl profile that has:
Certificate: client_type_cert
Key: matching_key_for_above_client_cert
Chain: matching_chain_for_above_certificate
Server Authentication:
Server Certificate: require 
Authenticate Name: name_of_destination_side_sertificate
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_destination_side_certificate

Others are defaults from serverssl profile

Destination side (LTM 11.6) has clientssl profile that has:
Certificate: server_cert
Key: matching_key_for_above_server_cert
Chain: matching_chain_for_above_certificate
CLient Authentication:
Server Certificate: require 
Frequency: allways
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_source_side_client_certificate

Others are defaults from clientssl profile

i appreciate all your help.
-Tommi

thecook · Answer

Hi Tommi,

I would start with seeing if you can get a better error out of the client side of the 11.6. device. To do this, in the clientssl profile, uncheck the "generic alert" option. With that enabled it will always fail with "handshake_failure". Unchecking it might get you something more specific to help lead you in the right direction.

-Tim

tomeriz · Answer

Actually that dump is from ssldump and i don't think it can get any more detailed error than that. Im just thinking that has that 11.6 so much patched SSL implement that it doesnt support any 11.3hf10 ciphers By default.&nbsp;
-Tommi&nbsp;

Forum Discussion

2 way ssl between LMT 11.3HF10 and LTM 11.6

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

The Top Ten Hardcore F5 Security Features in BIG-IP 11.6

Upgrade from 11.6 to 12.1

Nouveauté n°2 dans TMOS 11.6 : L’estampillage OCSP

AWS CFT for BYOL BIG-IP 11.6 in EC2

AWS CFT for Hourly BIG-IP 11.6 in EC2