Fix F5 BIG-IP SSL Profile Error

Introduction

F5 BIG-IP SSL profile errors prevent secure TLS connections through the load balancer. Common issues include missing or expired certificates, incomplete certificate chains, cipher suite mismatches, protocol version conflicts, and client SSL profile configuration errors. These errors result in connection failures, browser security warnings, or TLS handshake timeouts.

Symptoms

Error indicators in F5 logs:

bash

SSL handshake failed: no shared cipher
SSL profile certificate error
Certificate chain incomplete
TLS protocol version not supported
Client certificate verification failed

Observable indicators: - Browser shows certificate warning or connection failed - SSL_handshake_failure in connection logs - Clients unable to connect via HTTPS - Virtual server showing connection resets - Certificate shown as invalid or expired - TestSSL.sh showing cipher or protocol issues

Common Causes

1.Certificate expired - Certificate past validity date
2.Incomplete certificate chain - Missing intermediate certificates
3.Cipher suite mismatch - No overlapping ciphers with client
4.Protocol version mismatch - Client only supports older TLS
5.Client SSL profile errors - Wrong profile type or configuration
6.Key/certificate mismatch - Private key doesn't match certificate
7.SNI not configured - Multi-cert profile missing SNI

Step-by-Step Fix

Step 1: Check SSL Profile Configuration

```bash # List all SSL profiles tmsh list ltm profile client-ssl

# Show specific profile details tmsh list ltm profile client-ssl my_client_ssl all-properties

# Check certificate assignment tmsh list ltm profile client-ssl my_client_ssl cert key

# Show server SSL profile tmsh list ltm profile server-ssl my_server_ssl ```

Step 2: Check Certificate Status

```bash # List all certificates tmsh list sys file ssl-cert

# Check certificate details tmsh list sys file ssl-cert my_cert detail

# Verify certificate validity tmsh run sys crypto cert-verify my_cert

# Check certificate expiration tmsh show sys file ssl-cert my_cert | grep -i expire ```

```bash # Check via OpenSSL from BIG-IP openssl x509 -in /config/ssl/ssl.crt/my_cert.crt -text -noout | grep -A2 "Validity"

# Verify certificate chain openssl verify -CAfile /config/ssl/ssl.crt/intermediate.crt /config/ssl/ssl.crt/my_cert.crt ```

Step 3: Check Certificate Chain

```bash # List certificate chain files tmsh list sys file ssl-cert chain-cert

# Check if intermediate is configured tmsh list ltm profile client-ssl my_client_ssl chain-cert

# Add intermediate certificate tmsh modify ltm profile client-ssl my_client_ssl \ chain-cert intermediate_cert

# Create full chain file manually cat /config/ssl/ssl.crt/server.crt \ /config/ssl/ssl.crt/intermediate.crt \ > /config/ssl/ssl.crt/fullchain.crt ```

Step 4: Fix Cipher Configuration

```bash # Check current cipher string tmsh list ltm profile client-ssl my_client_ssl ciphers

# Update cipher string for modern clients tmsh modify ltm profile client-ssl my_client_ssl \ ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"

# Use cipher group (recommended) tmsh modify ltm profile client-ssl my_client_ssl \ cipher-group f5-secure

# List available cipher groups tmsh list ltm cipher-group ```

Step 5: Fix Protocol Versions

```bash # Check allowed protocols tmsh list ltm profile client-ssl my_client_ssl options

# Disable old protocols, enable TLS 1.2/1.3 tmsh modify ltm profile client-ssl my_client_ssl \ options { dont-insert-empty-fragments no-sslv3 no-tlsv1 no-tlsv1-1 tlsv1-2 tlsv1-3 }

# Or use ssl-min-version and ssl-max-version tmsh modify ltm profile client-ssl my_client_ssl \ ssl-min-version tls1.2 \ ssl-max-version tls1.3 ```

Step 6: Check Key-Certificate Match

```bash # Verify key matches certificate openssl x509 -noout -modulus -in /config/ssl/ssl.crt/my_cert.crt | md5sum openssl rsa -noout -modulus -in /config/ssl/ssl.key/my_key.key | md5sum

# Both should produce same hash

# If mismatch, import correct key tmsh install sys crypto key my_new_key from-local-file /config/ssl/ssl.key/new_key.key ```

Step 7: Configure SNI for Multi-Cert

```bash # Create SNI-enabled profile tmsh create ltm profile client-ssl sni_profile \ defaults-from clientssl \ sni-default my_default_cert \ sni-include { "*.example.com" { cert example_wildcard } }

# Or modify existing tmsh modify ltm profile client-ssl my_profile \ sni-default default_cert \ server-name-indication enable ```

Step 8: Test SSL Connection

```bash # Test from BIG-IP openssl s_client -connect virtual-server:443 -servername example.com

# Test specific cipher openssl s_client -connect virtual-server:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

# Test TLS version openssl s_client -connect virtual-server:443 -tls1_2 openssl s_client -connect virtual-server:443 -tls1_3

# Check certificate chain openssl s_client -connect virtual-server:443 -servername example.com -showcerts ```

Step 9: Verify the Fix

```bash # Check profile status tmsh show ltm profile client-ssl my_client_ssl

# Test HTTPS connection curl -v https://virtual-server/

# Use testssl.sh for comprehensive check testssl.sh https://virtual-server:443

# Monitor SSL connections tmsh show sys log ssl | tail -50 ```

Advanced Diagnosis

Check SSL Statistics

```bash # Show SSL profile statistics tmsh show ltm profile client-ssl my_client_ssl stats

# Check handshake failures tmsh show ltm profile client-ssl my_client_ssl raw-stats | grep -i fail

# Monitor SSL connections in real-time tmsh show sys log ssl follow ```

Debug Handshake Issues

```bash # Enable SSL debug logging tmsh modify sys global-settings log-level ssl debug

# View debug logs tmsh show sys log ssl

# Reset log level after debugging tmsh modify sys global-settings log-level ssl info ```

Client Certificate Authentication

```bash # Configure client cert authentication tmsh modify ltm profile client-ssl my_client_ssl \ client-authentication require \ client-auth-certificate my_client_ca_cert \ client-auth-certificate-strict-mode enable

# Allow optional client cert tmsh modify ltm profile client-ssl my_client_ssl \ client-authentication optional ```

OCSP Stapling

```bash # Configure OCSP stapling tmsh modify ltm profile client-ssl my_client_ssl \ stapling enable \ stapling-responder-url http://ocsp.example.com

# Check OCSP status tmsh show ltm profile client-ssl my_client_ssl ocsp ```

Common Pitfalls

Missing intermediate cert - Browser shows incomplete chain
Cipher string syntax error - Invalid cipher specification
TLS version mismatch - Old clients can't connect with TLS 1.2+ only
Key/cert mismatch - Handshake fails immediately
SNI not enabled - Wrong certificate served for multi-domain
Expired certificate - Browser shows security warning
Wrong profile attached - Client profile on server side

Best Practices

```bash # Create comprehensive SSL profile tmsh create ltm profile client-ssl secure_profile \ defaults-from clientssl \ cert server_cert \ key server_key \ chain-cert intermediate_cert \ cipher-group f5-secure \ ssl-min-version tls1.2 \ options { no-sslv3 no-tlsv1 no-tlsv1-1 tlsv1-2 } \ server-name-indication enable \ stapling enable

# Import new certificate with chain tmsh install sys crypto cert new_cert from-local-file /tmp/fullchain.crt tmsh install sys crypto key new_key from-local-file /tmp/server.key

# Update profile with new cert tmsh modify ltm profile client-ssl secure_profile \ cert new_cert \ key new_key

# Save configuration tmsh save sys config ```

SSL Profile Template

```bash # Complete profile configuration tmsh create ltm profile client-ssl production_ssl \ defaults-from clientssl \ cert example.com.crt \ key example.com.key \ chain-cert intermediate.crt \ ocsp-stapling-profile default \ ciphers "ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20" \ ssl-min-version tls1.2 \ renegotiation disable \ server-name-indication enable \ insert-x-forwarded-for-port disable \ sni-default example.com.crt \ strict-resume disable

# Attach to virtual server tmsh modify ltm virtual https_vs \ profiles add { production_ssl { context client-side } } ```

F5 BIG-IP Pool Member Down
HAProxy SSL Handshake Failed
Traefik SSL Certificate Error
AWS ALB SSL Certificate Error

F5 BIG-IP SSL Profile Error