For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Naresh_N's avatar
Naresh_N
Icon for Nimbostratus rankNimbostratus
Nov 13, 2015

SSL handshake errors

Hi there,   Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3:   Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6:...
BIG-IP
clientssl
LTM
openssl
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 13, 2015

Okay, I guess I assumed from the other thread that you were doing SSL on the server side. So this actually makes things a bit easier. Let's try some additional tests:

  1. Run an tcpdump, listening ONLY on the server side VLAN. Do you see ANY traffic going to the server when you test? If you do, do you see a reset coming from the server?

  2. With the -k option you also need to:

    a. Provide the private key (the one you use in the client SSL profile)

    ssldump -k /path/to/private.key -AdNn -i [client-side VLAN] port 443 [and any additional filters]

    b. Force the client and BIG-IP to use an RSA key exchange. The simplest option here might be to just temporarily change the Cipher string in the client SSL profile to: !SSLv3:RSA+AES. This will allow ssldump to decrypt the traffic.

  3. Run a client side capture like HTTPWatch or Fiddler and see if there's any HTTP traffic before it fails, and if so where it fails.