Troubleshooting SSL handshake in F5 BIG-IP LTM – Part 1 (SSL/TLS Protocol Mismatch)


How to identify if there is an SSL/TLS protocol mismatch between Client and F5 LTM?

1.  Check the protocol version used by the client in wireshark captures under the “Client Hello” packetprotocol mismatch wireshark capture

2.  Check the SSL/TLS protocol version supported by the LTM for a particular VIP

  • Run curl checks if possible from a remote server
curl -Ik https://site1.dc1.networkology.net --sslv2
curl -Ik https://site1.dc1.networkology.net --sslv3
curl -Ik https://site1.dc1.networkology.net --tlsv1
curl -Ik https://site1.dc1.networkology.net --tlsv1.0
curl -Ik https://site1.dc1.networkology.net --tlsv1.1
curl -Ik https://site1.dc1.networkology.net --tlsv1.2
  • Check if any protocol is negated in ciphers under client-ssl profile;

tmsh list ltm virtual <VIRTUAL-SERVER> { profiles }
tmsh list ltm profile client-ssl <PROFILE-NAME> { ciphers }

    ltm profile client-ssl site1.dc1.networkology.net-clientssl {
        ciphers !TLSv1:DEFAULT
    }
  • Check if the protocol is negated in options list under client-ssl profile;
tmsh list ltm profile client-ssl <PROFILE-NAME> { options }
ltm profile client-ssl site1.dc1.networkology.net-clientssl {
        options { no-tlsv1 }
    }
  • Check if the DEFAULT cipher string does not have the required protocol in the list;
tmm --clientciphers DEFAULT | grep "TLS1.1"
tmm --clientciphers DEFAULT | grep "TLS1"
tmm --clientciphers DEFAULT | grep "TLS1.2"

Supplementary information:

List of cipher suites supported under 11.x to 13.x version – https://support.f5.com/csp/article/K13163

List of cipher/protocols under the DEFAULT cipher string for version 11.x and 12.x – https://support.f5.com/csp/article/K13171

The <cipher string> can be any of the standard cipher string identifiers, such as ALL, DEFAULT, LOW, MEDIUM, HIGH, and NULL.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s