Forum Discussion

msp_64517's avatar
msp_64517
Icon for Nimbostratus rankNimbostratus
Nov 24, 2010

SSL Termination - Broken Connection Safari and IE

I've searched through various topics but can't find a previous discussion/solution on this exact issue and was wondering if anyone has seen this before...

 

 

I have an HTTPS VS that is using a new cert (signed/verified by Equifax). The https site loads perfectly in Chrome and Firefox but fails to load in both IE and Safari.

 

 

 

BigIP Sries/Version: 6400/9.0.1 <--- (I know, I am not allowed to upgrade, please don't laugh)

 

 

Browser Errors (on Windows 7):

 

-------------------

 

- IE (version 8.0.7600.16385): 'Internet Explorer cannot display the webpage'

 

- Safari (5.03): Safari can’t open the page “https://www.domain_name/”. The error is: “unknown error” (kCFErrorDomainWinSock:10054)

 

 

 

I have many http (not https) sites running on this system without any problems. My one HTTPS VS setup is very basic and I'm not using iRules:

 

 

1. I imported/uploaded the signed SSL cert and key

 

2. Configured a Client SSL Profile:

 

- Certificate and Key: set to the cert and key I uploaded

 

- Ciphers: !SSLv2:ALL:!ADH:!EXPORT40:!EXP:!LOW:@SPEED

 

- Unclean shutdown: disabled

 

3. Configured an HTTPS VS which is setup in the following way:

 

- ServerPort: 443

 

- OneConnect Profile: None

 

- Protocol: tcp

 

- Client Protocol Profile: tcp

 

- Address Translation: enabled

 

- Port Translation: enabled

 

- SNAT Pool: none (site won't work if set to automap)

 

- ServerSSL Profile: none (site won't work if set to 'serverssl')

 

- ClientSSL Profile: domain_name

 

 

If I change the certificate/key for this HTTPS VS to a signed cert/key for a different domain, then I at least get the 'domain name mismatch' warning in Safari, but IE still displays "cannont display the webpage".

 

 

The first question in this existing topic describes a similar symptom: http://devcentral-sea.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1172095/afv/topic/Default.aspx

 

 

Also, the real servers are running Apache 2.2 on Centos 5 (SSL support in Apache is not installed/configured on the real servers).

 

 

If anyone has come across this before and can share any insight, it would be much appreciated.

 

Thanks

 

config
design

3 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 24, 2010
    would u mind posting b profile domain_name list all output here?

     

     

    btw, have u ever run tcpdump/ssldump and have a look the packet?
  • msp_64517's avatar
    msp_64517
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2010
    Here is the output of b profile:

     

     

    b profile domain_name

     

     

    PROFILE domain_name CLIENT SSL parent: clientssl

     

    | Virtual servers: https_209.61.x.x

     

    | key: domain_name.key certificate: domain_name.crt

     

    | conn (cur, max) = (0, 12)

     

    | (in, out) = encrypt (1.909M, 19.53M) decrypt (0, 20.25M)

     

    | record (in, out, bad) = (984, 5, 0)

     

     

     

    When running tcpdump with -X (for both the "internal" and "external" interfaces on the BigIP) I am able to successfully grep the domain name and see that the requests are coming through properly for Firefox and Chrome using HTTPS. However, with IE and Safari, zero traffic is visible when performing HTTPS requests.

     

     

    This implies that the SSL negotiation between the BigIP and these 2 browsers is failing and completely halting any further communication. I just can't determine what IE and Safari require and what I could possibly configure on the BigIP to allow successful SSL negotiation.

     

     

    Thanks

     

     

     

  • msp_64517's avatar
    msp_64517
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2010
    THIS IS RESOLVED.

     

     

    A colleague of mine was actually able to determine the cause of the issue.

     

     

    It looks like the 'Client Certificate' section of the SSL client profile needed to be set to "Auto"

     

     

    It's strange that this option not being enabled worked fine for Firefox and Chrome but not Safari and IE.