Forum Discussion

sgnewbie_121449's avatar
sgnewbie_121449
Icon for Nimbostratus rankNimbostratus
Jan 23, 2013

SSL - F5 sending TCP RST after handshake

We just renewed server's SSL certificate with 2048 bit but now F5 is sending TCP RST to the server after Handshake.

 

It's working when we switch back to the old certificate (1024 bit) without changing F5 config.

 

Here is the SSLdump:

 

1 1 0.0010 (0.0010) C>S Handshake

 

ClientHello

 

Version 3.1

 

cipher suites

 

TLS_RSA_WITH_RC4_128_MD5

 

TLS_RSA_WITH_RC4_128_SHA

 

Unknown value 0x2f

 

Unknown value 0x35

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS_RSA_WITH_DES_CBC_SHA

 

compression methods

 

NULL

 

1 2 0.0024 (0.0013) S>C Handshake

 

ServerHello

 

Version 3.1

 

session_id[32]=

 

50 ff 8c cf 7d cc 68 fe 70 b6 d3 15 6c 6e 7c da

 

f6 32 a3 45 48 53 69 e1 cc a4 f7 1e 68 9a 58 8c

 

cipherSuite TLS_RSA_WITH_RC4_128_MD5

 

compressionMethod NULL

 

Certificate

 

ServerHelloDone

 

1 0.0027 (0.0002) C>S TCP RST

 

 

I could connect to the server using "openssl s_client -cipher 'RC4-SHA' -connect".

 

The server is JBOSS. We're using BIG-IP 9.2.3.

 

Does anyone know why?

 

 

config
design

13 Replies

Sort By
Show More
  • sgnewbie_121449's avatar
    sgnewbie_121449
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2013
    Just FYI, we've tried using SHA1 hash but it's still not good.

     

    I asked the app support to generate self-signed 1024 certificate and it's finally okay.

     

    it seems like BIG-IP 9.2.3 doesn't support new certtficate 2048 bit on the server side.
  • dryk_00's avatar
    dryk_00
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2013

    Did You try maybe during configuring ssl profile to change 'cipher' field from default to all? I had same issue and after that change ssl handshake was successful.