Forum Discussion

Lee_Sutcliffe's avatar
Apr 20, 2012

Page not available after replacing SSL certificate

Hi,

 

 

I've recently updated an SSL certificate, I've done this many times in the past and not had any issues but I'm seeing some odd behaviour now.

 

 

 

We had 4096 bit SSL certs on our LTMs running 10.2.2, however some clients had issues with the size of the key. These were replaced with 2048 bit certs.

 

 

 

I added the new certificate and key to the SSL profile but now I can't view the site. I've ran TCP dump and can see SSL communication between the VIP and my PC but the page hangs and doesn't show any pages.

 

 

 

I've added the same certificate on to the web server directly and I can get to the page fine.

 

Interestingly, I have tried putting the old certificate back and I now get the same error.

 

 

 

Any help would be greatly appreciated.

 

 

 

Thanks

 

  • I think I've been looking at the wrong part of the ssldump output.

    I'm not 100% who is C or S.

     

     

     

    This is the output from the connection I'm concerned with, but I don't know enough about ssldump to comment on it.

     

     

     

    New TCP connection 9: 10.x.x.199(44455) <-> 10.x.x.3(443)

     

    9 1 0.0195 (0.0195) C>S Handshake

     

    ClientHello

     

    Version 3.1

     

    cipher suites

     

    Unknown value 0xc00a

     

    Unknown value 0xc014

     

    Unknown value 0x88

     

    Unknown value 0x87

     

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    Unknown value 0xc00f

     

    Unknown value 0xc005

     

    Unknown value 0x84

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    Unknown value 0xc007

     

    Unknown value 0xc009

     

    Unknown value 0xc011

     

    Unknown value 0xc013

     

    Unknown value 0x45

     

    Unknown value 0x44

     

    TLS_DHE_DSS_WITH_RC4_128_SHA

     

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

     

    Unknown value 0xc00c

     

    Unknown value 0xc00e

     

    Unknown value 0xc002

     

    Unknown value 0xc004

     

    Unknown value 0x96

     

    Unknown value 0x41

     

    TLS_RSA_WITH_RC4_128_MD5

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    Unknown value 0xc008

     

    Unknown value 0xc012

     

    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    Unknown value 0xc00d

     

    Unknown value 0xc003

     

    Unknown value 0xfeff

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

     

    compression methods

     

    unknown value

     

    NULL

     

    9 2 0.0196 (0.0000) S>C Handshake

     

    ServerHello

     

    Version 3.1

     

    session_id[32]=

     

    1c 16 d1 cb 2d d0 e6 f0 81 a6 83 53 da 88 a4 2c

     

    19 64 34 24 fe 1c 21 cc 7f b1 b8 10 0b e2 7e fb

     

    cipherSuite TLS_RSA_WITH_RC4_128_SHA

     

    compressionMethod NULL

     

    9 3 0.0196 (0.0000) S>C Handshake

     

    Certificate

     

    9 4 0.0196 (0.0000) S>C Handshake

     

    ServerHelloDone

     

    9 5 0.0947 (0.0751) C>S Handshake

     

    ClientKeyExchange

     

    9 6 0.0947 (0.0000) C>S ChangeCipherSpec

     

    9 7 0.0947 (0.0000) C>S Handshake

     

    Finished

     

    9 8 0.0947 (0.0000) C>S application_data

     

    ---------------------------------------------------------------

     

    GET /callreport/ HTTP/1.1

     

    Host: 10.98.255.60

     

    Connection: keep-alive

     

    User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11

     

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

     

    Accept-Encoding: gzip,deflate,sdch

     

    Accept-Language: en-GB,en-US;q=0.8,en;q=0.6

     

    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

     

     

     

    ---------------------------------------------------------------

     

    9 9 0.0981 (0.0034) S>C ChangeCipherSpec

     

    9 10 0.0981 (0.0000) S>C Handshake

     

    Finished

     

     

     

     

  • have you seen tcp connection 10? tcp connection 9 is client-side which is between client and bigip. the tcp connection 10 should be server-side between bigip and pool member.
  • connection to the pool member is unencrypted, but I can't see this happen in tcpdump.

     

    the next connection in the ssl dump is 11, iquery between LTM and GTM
  • connection to the pool member is unencrypted, but I can't see this happen in tcpdump. did you use filter when capturing packet? was the filter really correct? may you try capturing packet without filter or something like this?

     

     

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

     

    x.x.x.x is virtual server ip

     

    y.y.y.y is pool member ip
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    What do you get from using openssl to connect to the VS?

     

     

    H