SSL Pass Through VS for Safari Clients

Question

We're experiencing an issue with a VS in our configuration which is performing SSL pass through. Clients attempting to connect to our site via Safari (from a Mac) are unable to successfully complete an SSL handshake with F5. Packet traces show that syn/ack happens fine. The client (Safari) then sends a client hello which is ack'd by F5. The very next packet in the trace, however, is consistently a RST, terminating the handshake.have you tried to change cipher suites on safari? i am not sure but i think resetting right away after client hello message may relate to cipher issue.

just my 2 cents.

&nbsp;
&nbsp;
We are planning on making some changes to our site configuration in the near future which will allow us to perform SSL termination. This handshake issue with Safari clients magically disappears in our test environment when we enable SSL termination. &nbsp;

&nbsp;
&nbsp;
Prior to moving this infrastructure behind F5, Safari clients were able to visit the site without problems.&nbsp;

&nbsp;
&nbsp;
In the mean time we are really just looking for some sort of temporary workaround to appease our Safari clients.&nbsp;&nbsp;&nbsp;We currently have a ticket open with F5 support on the issue but I figured I would post here and see if anyone else has run into similar issues. Whether you have or have not I'm open to suggestions if anyone has any.&nbsp;&nbsp;

&nbsp;
&nbsp;
Currently running 11.1.0 HF2 on a Big-IP 3900. The machine I have available to test with is running Safari Version 5.1.7 (7534.57.2) on OSX 10.7.4. The exact same Safari version running on a PC works fine.&nbsp;

&nbsp;
&nbsp;
If you need any further info or clarification, let me know.&nbsp;

nitass · Answer

We're experiencing an issue with a VS in our configuration which is performing SSL pass through. Clients attempting to connect to our site via Safari (from a Mac) are unable to successfully complete an SSL handshake with F5. Packet traces show that syn/ack happens fine. The client (Safari) then sends a client hello which is ack'd by F5. The very next packet in the trace, however, is consistently a RST, terminating the handshake.have you tried to change cipher suites on safari? i am not sure but i think resetting right away after client hello message may relate to cipher issue. 
&nbsp;  
&nbsp; just my 2 cents.

angler · Answer

If it's ssl pass through then the ssl handshake is performed with the pool member not the big-IP. The big-IP is simply passing the connection to the server.  The issue probably lies there.

brian_van_stone · Answer

Determined late yesterday that it is a server issue, not an F5 issue. Doesn't appear to be a cipher suite issue but it did send me down a path that appears to get us closer. 
&nbsp;  
&nbsp; Thanks for the quick response.

brian_van_stone · Answer

Definitely not an F5 issue but I figured I would post this here in case anyone else runs into this problem in the future and comes looking here. 
&nbsp;  
&nbsp; Safari (even the latest version) does not support RFC 5746, which addresses an issue concerning SSL renegotiation which would allow a man in the middle attack. The description of the vulnerability can be found here: http://www.phonefactor.com/sslgap 
&nbsp;  
&nbsp; The vulnerability was identified in August of 2009 and the actual standard to fix it proposed in Feb 2010. All other major browsers (IE, FF, Opera, Chrome, etc.) appear to have been compliant for quite a while. 
&nbsp;  
&nbsp; Recent security patches to our web servers have enforced a requirement for RFC 5746 compliance. F5 Big-IP appears to be compliant, since it can communicate via SSL to these same web servers, but also tolerant of non-compliant clients. It is for this reason that SSL termination makes our problem disappear. 
&nbsp;  
&nbsp; Sorry to spawn a thread unrelated to F5 config, but perhaps this will be useful to someone in the future.

Forum Discussion

SSL Pass Through VS for Safari Clients

4 Replies

Recent Discussions

Issue on license renewal

Maximum throughput of f5 ltm

iRule cookie persistence and pool redirect

redirect not working

Access azure app service using f5 LTM

Related Content

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

Enhance your Application Security using Client-side signals

iRule based RADIUS Client Stack

iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)

Enhance your Application Security using Client-side signals – Part 2