Debug SSL Handshake Failures (F5, *nix)

This article primarily applies to debugging SSL handshake failures on F5 LTM, but it can be used on any device with tcpdump. 

handshake

It can be tricky to truly understand who is affected when you change settings on your F5 SSL profiles. F5 has a handy little counter under the Statistics tab for your virtual-server, but it doesn’t tell you anything about who is failing.

sslshake1

They also log SSL handshake errors (01260009), but again, that doesn’t tell you who is failing.

Let’s say our security team asked us to change the F5’s ciphers, TLS or some other setting. Who did I break? Unless you have a way to talk to the customer, look at a DB for less data, etc. this can be tricky.

TCPDUMP and Wireshark can give us some insight into this, with the right capture.

The foundation for this was a response found here. However, I wanted to take a look at only the handshake failures in Wireshark to get an idea of the customer IP’s that are affected.

If I run a basic capture on the interface where SSL traffic terminates, I can see messages like this:

sslshake2

The actual content we are looking for always starts with 0x15 in hex.

sslshake3

Using the foundation article above, we can craft a tcpdump command to look for these messages.

tcpdump -ni public -C 100 -W 5 -w /var/tmp/ssl_traffic.pcap "port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15)"

This command will create 5 100MB files that will cyclically rotate and overwrite each other for you to analyze. They will mostly contain only the handshake failure messages we are looking for.

Filter Only Handshake Failure Packets

If you want to view statistics only for the ‘Handshake Failures’, take a look at the highlighted hex above. We can apply that as a filter so we only see those packets, and view the statistics on those (described below).

Use the following filter to view only the Handshake Failure packets.

frame contains 15:03:01:00:02:02:28

Now the IP’s that are failing to establish an SSL handshake can be analyzed. In Wireshark, using the Statistics tab, click Endpoints. Sort by Packets to see who the top offenders are. This can be used by others to determine if they are legit or not.

sslshake4

 

Extra

Maybe you want to see what ciphers/protocol the client proposed before they failed to analyze further?

Well–add an or statement to our tcpdump statement, you will see both that info. Expand the Client Hello in wireshark, and check what they are proposing. Perhaps that will help you to determine what ciphers you minimally need.

tcpdump -ni public -w /var/tmp/ssl_traffic.pcap "port 443 and ((tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) or (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16))"
Advertisements
Debug SSL Handshake Failures (F5, *nix)

Deploy LAMP & phpMyAdmin on RHEL 6.5

lamp

I know there are a ton of articles out there on this topic. But I had a hard time finding one for RHEL 6.5 (NOT CentOS). There are subtle differences that lead to undoubted failure if you solely follow instructions meant for CentOS. So for all you RHEL people out there tasked with this, here you go.

It may or may-not work on different versions/distributions–no guarantee. I’m assuming you’ve installed the base image from ISO with no additional options and are waiting at the command line with privilege and Internet access.

Get your Repositories

Register your box with RHN.

# subscription-manager register --username user --password password

EPEL is required to properly install phpMyAdmin.

# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

The ‘optional’ repository is also needed to properly resolve dependencies.

# yum-config-manager --enable rhel-6-server-optional-rpms

Validate your repositories. Something like this should be displayed:

# yum repolist
repolist

Prep Steps

Update Server
# yum update -y
# reboot
Disable Firewall

I like to disable the local firewall, I use my hardware firewall for that. Modify iptables if the local firewall is something you want to do. There’s plenty on that out there.

# service iptables stop
# chkconfig iptables off
Install Apache
# yum install -y httpd
# service httpd start
# chkconfig httpd on
Validate Apache
# curl localhost | grep test

The HTML content will be visible from the test page here if everything went well.

Install PHP

Optionally install php-mysql if your application requires MySQL support with PHP.

# yum install -y php
# yum install -y php-mysql (optional)

Create a test PHP page.

# echo '<?php phpinfo() ; ?>' > /var/www/html/test.php

Validate the content loads. The command will display content based on your PHP config and versions.

# curl localhost/test.php

Remove the test page for security purposes

# rm -f /var/www/html/test.php
Install and start MySQL
# yum install -y mysql mysql-server
# service mysqld start
# chkconfig mysqld on

Secure and setup MySQL by running the vendor script. Press Enter at each prompt and set the root password when asked.

# mysql_secure_installation
Install phpMyAdmin (Optional)

PHPmyadmin is a GUI frontend for MySQL database management.

# yum install -y phpmyadmin

Configure remote access to phpmyadmin by editing the following file:

# vi /etc/httpd/conf.d/phpMyAdmin.conf

Do a search and replace for 127.0.0.1 and change to the IP you will use to manage MySQL through a browser, or add a subnet. In my case everything on my internal network starts with 10.x.x.x, so I did the following.

<Directory /usr/share/phpMyAdmin/>
   AddDefaultCharset UTF-8
   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
       Require ip 10.0.0.0/8
       Require ip ::1
     </RequireAny>
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 10.0.0.0/8
     Allow from ::1
   </IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
   <IfModule mod_authz_core.c>
     # Apache 2.4
     <RequireAny>
       Require ip 10.0.0.0/8
       Require ip ::1
     </RequireAny>
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from All
     Allow from 10.0.0.0/8
     Allow from ::1
   </IfModule>
</Directory>

Change authentication type to http.

# cp /usr/share/phpMyAdmin/config.sample.inc.php /usr/share/phpMyAdmin/config.inc.php 
# vi /usr/share/phpMyAdmin/config.inc.php

Change cookie to http

[...] 
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]

Finish Up

I like to reboot for good measure, making sure your services start on their own and are functional.

# reboot

Finally, open a browser on the machine you allowed in the steps above and browse to the following:

http://mylampserver/phpmyadmin 

Log in with the root user you created for MySQL.

That’s it, enjoy!!

Deploy LAMP & phpMyAdmin on RHEL 6.5

Format and Mount a new drive in RHEL (or any RedHat based Linux)

The first step is adding the disk. You can either do this by attaching a local drive to the server, zone a SAN drive to it or to add a virtual disk through VMWare. Either way the process for formatting and mounting will be the same.

1. Make sure you have privileged rights either by sudo or logging in as root.

2. Type fdisk -l

  • This will show you the physical disks detected by the OS. As you can see /dev/sda is the primary disk that the OS was installed to and it is already formatted with ext3 (Id 83).
  • /dev/sdb is the new disk that the OS has detected. This is not formatted and does not have any partitions.

3. Since /dev/sdb is the assigned device name–that is what we will format.

In this mode you can hit M at any time if you need help

4. We are creating a new partition. To do this, type N

5. Since this is a new “physical” disk, I am going to make it a primary partition, it is not a partition on an existing disk. To do this all I need to type is p.

6. It will then ask you what partition number you want to assign the disk. Anything in the range that it will allow will work. Linux allows you 4 primary partitions, after that they have to be extended.  Since this is the first partition on that disk assign it 1. This will make the partition /dev/sdb1.

7. Use defaults for the rest of the settings:

8. Type (p). This will show you the partition you just created.

9. When you are all done, type (w) to save your changes. If you do not do this, everything that you have done will not take effect.

10. If you enter df –h you will still not see the new partition you created. Why? Because it does not have a filesystem. You will have to create one.

11. Enter fdisk –l, you will see the new partition you created. The operating system labeled the device as /dev/sdb1 so this is what we will format.

12. To do so we need to run the mke2fs command. Enter the /sbin/mke2fs -j /dev/sdb1 command. (-j is just ext2 with journaling which is ext3). You will see the following if you did everything correctly.

13. Now that the filesystem is created, you need to mount it. To start this process you need to first create a directory to mount to. mkdir /u01 is what I do. If you need to mount it to something specific you can.

14. Now you need to label the partition. Do this by entering e2label /dev/sdb1 /u01. 

15.  Now you can finally mount the filesystem! To do this just enter mount /dev/sdb1 /u01. This will modify the /etc/mtab file.

16. After you enter the command if you type df –h you will see the new drive.

17. The filesystem will not auto mount the drive when the OS gets rebooted. To do this modify the /etc/fstab file. Use the bottom line from the example below as a reference.

Format and Mount a new drive in RHEL (or any RedHat based Linux)