Forum Discussion

Alex_30981's avatar
Alex_30981
Icon for Nimbostratus rankNimbostratus
Mar 14, 2012

SSL server profile problem

Hello everybody,

 

 

I am having trouble in the SSL sever profile setup of a LTM VE (Trial Version). I have surfed the Web looking for an answer but so far I have been unable to solve this problem.

 

 

What I want to do is SSL re-encryption by setting up a virtual server with two SSL profiles (client and server SSL profile). Unfortunately the server SSL profile seems to fail: when I connect with openssl from a client machine to the , the SSL handshake against the LTM is correctly fulfilled, but when I send a basic HTTP request it is not being forwarded to the backend server.

 

 

Analyzing network traces on all parties involved, I can see a correct SSL handshake between LTM and the two servers but there is no encrypted payload being sent from the LTM to the end machines.

 

 

I paste my server SSL profile down here:

 

 

profile serverssl VLAN3_SSL_PROFILE {

 

defaults from serverssl

 

key none

 

cert none

 

chain none

 

ca file "VLAN3.crt"

 

crl file none

 

ciphers "DEFAULT"

 

modssl methods disable

 

renegotiate enable

 

renegotiate period indefinite

 

renegotiate size indefinite

 

peer cert mode ignore

 

unclean shutdown enable

 

strict resume disable

 

handshake timeout 60

 

alert timeout 60

 

cache size 262144

 

cache timeout 3600

 

}

 

 

I should add that I have associated this profile to a virtual server with no issues and that there is no iRULE involved whatsoever. In addition to this, I have reused the client SSL profile for an SSL OFFLOAD virtual address which actually works, which has led me to suspect that this is a SSL server profile problem only.

 

 

Theoretically the steps to achieve what I want to do should be pretty straightforward, but since this is Trial Version I wonder if this could be some sort of bug. I will appreciate any help you can provide me. Thanks in Advance!!

 

 

Regards,

 

Alex
ve
virtualization

3 Replies

Sort By
  • koenning_107182's avatar
    koenning_107182
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2012
    Hi Alex,

    from the release notes:

    http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_ve_10_1_0.html

    ClientSSL and ServerSSL profiles on same virtual server (CR141545)

    When you assign both a ClientSSL and a ServerSSL profile to the same virtual server, the BIG-IP system forwards the client request successfully, but the client does not receive the response. To work around this issue, you can create two separate virtual servers that specify the same destination IP address and port. The first virtual server references the ClientSSL profile and an iRule that internally routes the connection to the second virtual server instead of to a load balancing pool. The second virtual server references the ServerSSL profile and the load balancing pool. The following is an example of an iRule assigned to a ClientSSL virtual server. The iRule includes the virtual command, which internally routes connections to a second virtual server named server_ssl_test. The second virtual server must have its VLAN disabled using the vlan none enable command: 

     rule target_server_ssl {
 when CLIENT_ACCEPTED {
  virtual server_ssl_test
 }
}
pool b68_https { member 10.1.1.68:4443 }
virtual client_ssl_test {
 destination 10.1.1.117:443
 profile http clientssl tcp
 rule target_server_ssl
}
virtual server_ssl_test {
 destination 10.1.1.117:443
 profile http serverssl tcp
 pool b68_https
 vlan none enable
}

    regards,

    Christian Koenning
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 14, 2012
    I'd recommend getting a 45 day eval key for VE lab edition from your F5 or partner SE. You can then install any supported VE version and use all of the modules. The trial is only good for 10.1 and has some limitations like this server SSL profile issue.

     

     

    Aaron