Overview

Having gone through our SSL Series on Elliptic Curve Cryptography and Perfect Forward Secrecy you should have a good understanding of these technologies and why they are important to your organization. Our last article demonstrated how to successfully implement ECC and PFS on a LineRate System. This article provides insight into how to verify the implementation of SSL with ECC+PFS on LineRate has been properly done. Specifically, the article will detail how to check for ECC SSL on the wire via WireShark and in the browser. Let's get started!

Testing the Client-side SSL

Confirming ECC+PFS cryptography

By browsing to https://ssloffload.lineratesystems.com, it is observed that the ECC secp384r1 curve is being used to secure the session. Figure 1 details the specific network configuration we now have. Note that ssloffload.lineratesystems.com is a private, RFC1918 address and will not work directly for you.

Network Diagram - Page 1
Figure 1:
Detail network overview of the SSL/TLS Offload configuration with LineRate

Figure 2 details the HTTPS request from a client machine to https://ssloffload.lineratesystems.com:

 Safari-Proof
Figure 2:
Inspecting the ECC+PFS certificate for the HTTPS session

An investigation into the SSL negotiation details from the client to the LineRate systems shows that the ECDHE cipher suite is indeed used in combination with the secp384r1 ECC curve. A pcap of the SSL/TLS handshake has been included at the end of this article if you would like to investigate this process further. Figure 3 details the highlights of the SSL handshake negotiation detailing that the PFS is present (via the Elliptic Curve Diffie–Hellman Exchange, or ECDHE, cipher suite used) and the ECC Curve that was successfully negotiated is indeed secp384r1:

SSL_Handshake_Capture_-_ECC-PFS_Proof   Figure 3: Ensuring ECC+PFS cryptography is chosen to secure the client's communication

Testing the server-side request
 

Confirming reverse proxying via HTTP (not HTTPS)

A network capture for the proxied request from the client to the web server can be seen below in Figure 4. Note that the communication is unencrypted while in the secure datacenter. This proves that the SSL Offload on the LineRate system has been successfully implemented, alleviating our internal servers of the cryptography burden. A pcap of the HTTP request has been included at the end of this article if you would like to investigate this HTTP request further.

HTTP-request
Figure 4:
Ensuring the SSL client request to the web server has been successfully offloaded on LineRate

 

Benefits of SSL offload via LineRate

Thus far, you should have a good understanding of Elliptic Curve Cryptography and Perfect Forward Secrecy and why it is important to your organization. An SSL Offload system has now been successfully implemented as well. LineRate offers a very competitve $ per SSL Terminations-per-second and can quickly and easily be help your organization implement an SSL Offloading system. Here are a few additional benefits LineRate offers:

  • Quickly deploy a more secure application
    • LineRate is a software-based product that can be quickly deployed on existing x86 bare metal hardware or in virtualized environments.
    • In fact, a production-ready SSL/TLS offload system can be setup in under an hour.
  • Simple key management
    • Configure a few LineRate systems versus hundreds of servers in a traditional SSL deployment
    • By placing SSL information on a few LineRate instances, security exposure to public key compromise  is significantly reduced
  • Easily implement SSL in a non-SSL environment
    • Add security for end-users while allowing LineRate to talk to your internal network via unencrypted protocols
    • Of course, LineRate can facilitate encrypted communications with the application servers if desired
  • High-performance
    • LineRate is a high-performance, software based solution that easily incorporates into your existing infrastructure. It can handle the high-throughput and high-connections required for a modern datacenter.
    • By offloading  SSL with LineRate, resources on the servers that handle your application are freed up. This way your application servers can focus on handling your application rather than overhead of SSL.

Move over RSA: ECC crypto is here to stay! From this demonstration, it is easy to see that LineRate is a great way to quickly and easily deploy better performance and security with SSL. Take LineRate and test out its SSL Offloading capabilities for a spin!

Ready to try LineRate? Visit https://linerate.f5.com/try
Want to learn more about LineRate? Visit https://linerate.f5.com/learn

 

Reference

In case you missed any content, or would like to reference it again, here are the articles related to implementing SSL Offload with ECC and PFS on LineRate: