NSX Advanced Load Balancer supports capturing of SSL client’s ciphers details in the application logs on NSX Advanced Load Balancer. It records ciphers sent by a client in the client hello SSL packet. The ciphers details used to establish an SSL connection with a virtual service is available in the application log.
No Shared Ciphers Error
When a client uses a cipher that is not supported, the virtual service closes the connection with the error No Shared Cipher in the application log. The following are the reasons for the No Shared Cipher error:
The client sends ciphers that is not configured in the virtual service’s SSL profile.
The client sends ciphers that does not match the certificate’s authentication type on the virtual service.
For instance, the client sends ECDSA ciphers when the virtual service has only an RSA certificate configured.
The client sends ciphers that does not match the SSL/ TLS protocol.
For instance, the client sends
AES256-GCM-SHA394 TLS 1.2
cipher when the virtual service does not haveTLS1.2
protocol enabled (even though, the SSL profile has this cipher enabled).
When any one of this issues occurs, it is beneficial to show what ciphers client has sent as part of the client hello. The necessary changes can be performed to the virtual service or the client configuration to fix the problem.
A client sends anywhere between 180-200
ciphers in a client hello, and the server picks one of them.
The cipher selection depends on the various factors like ciphers and protocols enabled, type of the certificate configured, and, so on the virtual service. When the virtual service is unable to select a single cipher, the SSL connection fails with the error: SSL Error: No Shared Cipher. In such a case, the NSX Advanced Load Balancer records all the ciphers that the client has sent in the application log.
Accessing Client’s Cipher List
The client’s cipher list is accessible through a REST API request for the application log. The identified and unidentified ciphers are checked using the field client_cipher_list
within the application log (add location here).
A no shared ciphers
SSL error can be fixed by making the necessary changes to the virtual service or client configuration as per the ciphers sent by the client.