Forum Discussion
dp_119903
Cirrostratus
F5 support really rocked this.
It turns out, after looking at the packet capture, that the server was receiving an "invalid parameter" in SSL negotiation.
We were using the "default" serverssl profile, which also uses the default ciphers. After connecting to the server using openssl we could see that the cipher was using RC4-SHA. If you use the "tmm --serverciphers 'DEFAULT'" command on the F5 you can see what ciphers are in the "default". And with 11.6 they removed RC4-SHA. To fix it, temporarily, I just added :RC4-SHA to the cipher list so it now looks like:
DEFAULT:RC4-SHA
and it works. I think a more permanent fix is to update SSL on the server itself. But this fixed it.
shaggy
Feb 10, 2015Nimbostratus
nice find - SSL cipher suites often change between F5 releases.
i highly recommend not altering the F5 default profiles - create your own based on the F5 default and make your tweaks there. changing defaults can cause migration/upgrade/support headaches