Tomeriz
Jan 22, 2016Nimbostratus
2 way ssl between LMT 11.3HF10 and LTM 11.6
Hello,
We have this problem when we are trying to make 2 way ssl connection between two F5 LTM device. The one which starts the connection is LTM 11.3HF10 and destination has LTM 11.6. The problem is that SSL-connection wont establish. Both are using default chiphers and connection fails at SSL-handshake. If we take 2 way away and use only 1 way, it works no probs.
This is TCP dump from 11.6 device (had to mask a little):
New TCP connection 1: XXX.XXX.XXX.XXX(XXXXX) <-> YYY.YYY.YYY.YYY(YYYYY)
1 1 0.0011 (0.0011) C>SV3.1(57) Handshake
ClientHello
Version 3.1
random[32]=
...
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Unknown value 0xff
compression methods
NULL
1 2 0.0011 (0.0000) S>CV3.1(81) Handshake
ServerHello
Version 3.1
random[32]=
...
session_id[32]=
...
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
1 3 0.0011 (0.0000) S>CV3.1(2985) Handshake
Certificate
Subject
...
Issuer
...
Serial ...
Extensions
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Basic Constraints
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Extended Key Usage
Extension: X509v3 Certificate Policies
Extension: X509v3 Authority Key Identifier
Extension: X509v3 CRL Distribution Points
Extension: Authority Information Access
Extension: 1.3.6.1.4.1.11129.2.4.2
Subject
...
Issuer
...
Extensions
Extension: Authority Information Access
Extension: X509v3 Basic Constraints
Critical
Extension: X509v3 Certificate Policies
Extension: X509v3 CRL Distribution Points
Extension: X509v3 Key Usage
Critical
Extension: X509v3 Subject Alternative Name
Extension: X509v3 Subject Key Identifier
Extension: X509v3 Authority Key Identifier
1 4 0.0011 (0.0000) S>CV3.1(302) Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
certificate_authority
...
certificate_authority
...
1 5 0.0011 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 6 0.0031 (0.0019) C>SV3.1(7) Handshake
Certificate
1 7 0.0031 (0.0000) C>SV3.1(262) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[256]=
...
1 8 0.0031 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 9 0.0031 (0.0000) C>SV3.1(48) Handshake
1 10 0.0032 (0.0000) S>CV3.1(2) Alert
level fatal
value handshake_failure
1 0.0032 (0.0000) S>C TCP FIN
1 0.0044 (0.0012) C>S TCP RST
Does anyone have any idea how should we setup chiphers or some other settings in ssl-profiles to get this connection working with 2-way SSL. In Source side (LTM 11.3HF10) we serverssl profile that has:
Certificate: client_type_cert
Key: matching_key_for_above_client_cert
Chain: matching_chain_for_above_certificate
Server Authentication:
Server Certificate: require
Authenticate Name: name_of_destination_side_sertificate
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_destination_side_certificate
Others are defaults from serverssl profile
Destination side (LTM 11.6) has clientssl profile that has:
Certificate: server_cert
Key: matching_key_for_above_server_cert
Chain: matching_chain_for_above_certificate
CLient Authentication:
Server Certificate: require
Frequency: allways
Trusted Certicate Authorities: root_and_issuer_bundle_that_matches_source_side_client_certificate
Others are defaults from clientssl profile
i appreciate all your help.
-Tommi