Virtual Server with TLS1.3
Hi team, I have a lab in version 14.1.0.1. I'm trying to deploy a virtual server which handels http over tls version 1.3 (ssl offloading). However when I access my virtual server I receive the following error messge in my browser (firefox 66.0.2 64bit): An error occurred during a connection to 10.10.245.80. SSL received a record with an incorrect Message Authentication Code. Error code: SSL_ERROR_BAD_MAC_READ In /var/log/ltm : Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260013:4: SSL Handshake failed for TCP 10.10.0.1:50827 -> 10.10.245.80:443 Mar 29 15:48:49 bigip-a warning tmm1[9755]: 01260009:4: Connection error: ssl_basic_crypto_cb:691: Decryption error (20) I can provide the pcap while accessing the virtual server. The client side SSL handshake does not succeed. The client seems to not accept bigip's response. I first thought that was a browser issue but with the same browser I'm able to access https://tls13.crypto.mozilla.org/ which is tls1.3 only website. Moreover, the same ciphers were choosen in both handshakes TLS_AES_128_GCM_SHA256 (0x1301). Here is my config : ltm virtual /Common/http_vs { creation-time 2019-03-22:14:25:44 destination /Common/10.10.245.80:443 ip-protocol tcp last-modified-time 2019-03-29:15:33:08 mask 255.255.255.255 pool /Common/http_pool profiles { /Common/http { } /Common/kabe_clientssl { context clientside } /Common/tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled } ltm profile client-ssl /Common/kabe_clientssl { app-service none cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } cipher-group /Common/f5-aes ciphers none defaults-from /Common/clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } } Could you please help me understand why the TLS handshake is down ? Many thanks, Karim BENYELLOUL
Question on configuring SNI clientSSL Profile
Hi Experts , I have a question on configuring the SNI SSL profile .Suppose say I have 3 different certificate and 3 SSL profile to be attached to the VIP to configure SNI . https://www.securesite1.com ClientSSL1 > Default SSL Profile for SNI https://www.securesite2.com ClientSSL2 https://www.securesite3.com ClientSSL3 To enable SNI, we configure the Server Name and Default SSL Profile for SNI will be checked on an SSL profile of ClientSSL1, and then assign the profile to a virtual server. How about on other 2 SSL profiles ClientSSL2 & ClientSSL3 ? For other SSL profiles do I need to type the name for the HTTPS site in the Server Name box ? or it can be left blank ?
Any plans of supporting X25519MLKEM768 (0x11EC)
Hi Experts, It seems F5 is supporting the obsolete draft version, i.e., X25519Kyber768Draft00 (0x6399), whose support has been removed from the latest versions of Chrome and FireFox, instead X25519MLKEM768 (0x11EC) is supported on all the latest versions of Chrome and FireFox. So, does F5 have any plans to support X25519MLKEM768 (0x11EC) in its BIG-IP Next and TMOS flavours soon? Sources: - PQC support in BIG-IP Next: https://my.f5.com/manage/s/article/K000148294 - PQC support in BIG-IP TMOS: https://my.f5.com/s/article/K000149577
