Bug ID 459495: HTTPS monitors may fail SSL protocol negotiation on some older HTTPS servers

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.3.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2

Fixed In:
11.6.0, 11.5.1 HF3

Opened: Apr 29, 2014
Severity: 2-Critical
Related Article:
K54806834

Symptoms

When attempting to monitor a server that does not correctly negotiate TLSv1, the monitor will mark the node or pool member down. Running the ssldump utility on the node will reveal the client (BIG-IP) sending a 'Client Hello' to which the server never responds.

Impact

Unable to monitor services on problematic server using HTTPS monitors.

Conditions

A legacy web server that does not correctly understand current SSL protocol negotiation. Oracle WebLogic 10.3.4 is one such server.

Workaround

Use HTTP instead of HTTPS. Use a different server version or different web server software.

Fix Information

The HTTPS monitor has been improved to automatically attempt SSLv3/SSLv2-compatible protocol negotiation if TLSv1 protocol negotiation fails.

Behavior Change

HTTPS monitors will fall back to an SSLv2/SSLv3 compatible protocol negotiation if TLSv1/SSLv3 negotiation fails on a specific monitor instance. That particular monitor instance will then continue to use the older protocol negotiation until bigd is restarted or the monitor is reconfigured.