Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Log Message - ssl3_get_client_hello:no shared cipher / wrong version number

The message shows that a client tried to connect to a Virtual Service using SSL protocol SSLv3 but this has been disabled on the LoadMaster so the connection failed,

Log Message
<Date><Time><LM Hostname> vsslproxy: Client <Client IP> failed SSL negotiation: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

or

SSL routines:ssl3_get_client_hello:wrong version number

For example,
Jul13 11:54:37 Kemp01 vsslproxy: Client 54.198.0.97 failed SSL negotiation: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number

Check the IP addresses of the clients. If it is a valid client, SSLv3 can be enabled on the Loadmaster Virtual Service, however, this is against best practice as it is a weak protocol. Sites such as Qualys SSL labs used for checking website vulnerabilities, will also highlight this. If the client is not valid, you may need to look at using ACLs or Web Application Firewall (WAF) that can block known bad IPs. Details for WAF can be found here.

You can enable or disable SSLv3 on the Virtual Service under the SSL Properties option of the Virtual Service.

 

 

 


Was this article helpful?
0 out of 0 found this helpful

Comments