SSL offloading

Question

Hello,&nbsp;
I'm trying to test SSL offloading on F5 LTM VE (10.1.0 / 3341.1084).&nbsp;
My setup is pretty straight-forward -- one pool member running IIS 6 on 80/tcp with VS in the same network (I can ping/access port 80 of the pool member from F5 without any issues).&nbsp;
HTTP Profile is selected along with a ClientSSL profile (I use F5 embedded, self-signed, clientssl certificate). SNAT is set to Auto-map. Default and Fallback Persistence Profiles are set to None.&nbsp;
When I try to access the VS on port 443 using Internet Explorer (9) it works OK, but it doesn't work with the latest Firefox and Chrome -- it times out. Ocassionally I see untrusted certificate warnings from Firefox and if I accept it the connection times out.&nbsp;
It's worth to mention that it only happens with SSL offloading -- http to http works fine in all three browsers.&nbsp;
I think my case is similar to https://devcentral.f5.com/community/group/aft/2165315/asg/52 , although it always works with IE for me.&nbsp;
Could it be somehow linked to the evaluation edition? I read about rate/no of connection restrictions but I'm pretty sure I don't hit them.&nbsp;
Thank you in advance.&nbsp;
 &nbsp;

nitass · Answer

is it possible to compare ssldump when using ie and ff/chrome? 
&nbsp;  
&nbsp; sol10209: Overview of packet tracing with the ssldump utility 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

kevin_stewart · Answer

Here's what you're SSLDUMP string might look like: 
&nbsp;  
&nbsp; ssldump -k  -i 0.0 -AdNn port 443 
&nbsp;  
&nbsp; -k  - you need the physical location of the private (*.key) file that is specified in the client SSL profile 
&nbsp; -i 0.0  - this means use all interfaces, but you can narrow it down to a single VLAN/interface 
&nbsp; -AdNn - this esentially means decrypt the traffic if possible and clean up the capture 
&nbsp; port 443 - this is your filter. SSLDUMP absolutely requires a filter string. YOu can narrow this down to an IP address or anything else as long as the filter is there. 
&nbsp;  
&nbsp; What you're looking for are the initial client and server SSL handshakes, and more specifically, where it fails. You'll either see one of the parties mysteriously reset, or potentially a "fatal handshake" error. Please post what you find. 
&nbsp;  
&nbsp; Also: 
&nbsp; 1. Do your client certificates contain a CRLDP or AIA field, and if so are those accessible? 
&nbsp; 2. In Chrome, under Advanced Settings and HTTP/SSL, do you have "Check for server certificate revocation" checked? 
&nbsp; 3. In Firefox, in Options, Advanced, Encryption, then the Validation button, what do you have checked there? &nbsp;

nov1ce_120072 · Answer

Thank you.  Here it is (I omitted html content for successful attempts): 
&nbsp;  
&nbsp; Internet Explorer: http://pastebin.com/PgEMErsD  (works OK) 
&nbsp; Firefox: http://pastebin.com/uLeTF4y3  (I left it connecting during the tcpdump session and eventually, after some time, the webpage was loaded but corrupted (for example, without images, CSS and forms)) 
&nbsp; Chrome: http://pastebin.com/V2ih7bUy  (never worked, timed out pretty quick) 
&nbsp;  
&nbsp; 1. Do your client certificates contain a CRLDP or AIA field, and if so are those accessible? 
&nbsp; How can check this? I'm using self-signed certificate which was included with F5 LTM VE. 
&nbsp;  
&nbsp; 2. In Chrome, under Advanced Settings and HTTP/SSL, do you have "Check for server certificate revocation" checked?  
&nbsp; It's unchecked. 
&nbsp;  
&nbsp; 3. In Firefox, in Options, Advanced, Encryption, then the Validation button, what do you have checked there?  
&nbsp; Both options are unchecked. 
&nbsp;  
&nbsp; Many thanks for your time.

kevin_stewart · Answer

"How can check this? I'm using self-signed certificate which was included with F5 LTM VE." 
&nbsp; - Nevermind. You're not using client certs and you're using the default server certs on the BIG-IP. Didn't catch that at first. 
&nbsp;  
&nbsp; Okay, so it doesn't appear to be a validation/revocation issue. Do you not get certificate warnings with all of the browsers? Do you have any special cipher settings (or anything special) in your client SSL profile, or in your browsers? 
&nbsp;  
&nbsp; Also, not sure this is related, as it talks about client cert, but take a look at this: 
&nbsp;  
&nbsp; sol12313: The BIG-IP system responds with a full SSL handshake regardless of whether the client sends a session ID during SSL session renegotiation 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12313.html?sr=27615885 
&nbsp;  
&nbsp; And ID 226971 from the 10.2.1 release notes 
&nbsp; http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_10_2_1_ltm.html?sr=27616725 &nbsp;

nitass · Answer

i do see ie session using TLS_RSA_WITH_AES_128_CBC_SHA cipher but ff/chrome using TLS_RSA_WITH_AES_256_CBC_SHA. additionally, it seems tls v1.1 is enabled in chrome (as we see it tried tls v1.1 (Version 3.2) first in client hello message. 
  
 anyway, i am not sure if this is relevant but if you want to try, we may force TLS_RSA_WITH_AES_128_CBC_SHA cipher and disable tls v1.1 in chrome and see whether it makes any change. 
  
 e.g. 
 [root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ciphers "AES128-SHA"
}

Forum Discussion

SSL offloading

6 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

SSL Offload with HTTP/2.0

SSL Offloading for specific IPs or range of IPs

F5 SSL Offload behind Nginx Reverse Proxy

F5 Synthesis: Hybrid SSL Offload

SSL Profiles