Forum Discussion

Ahmad_Mohaidat_'s avatar
Ahmad_Mohaidat_
Icon for Nimbostratus rankNimbostratus
Apr 21, 2014

LTM SSL Offloading

Dears, I have an application server that uses http port 80 , this server is installed behind an F5 LTM and IPS we are now requested to encrypt the traffic going to the server using SSL offloading , the traffic from the clients to the F5 should be encrypted using an SSL client profile and the traffic between the F5 and the server needs to be sent as clear text to make sure that the IPS can read it.

 

my question is: i created a VS on the F5 that listens to HTTPS and i uploaded the certificates and assigned them to an SSL client profile and we kept the physical server listening to HTTP (port 80) but that didn't work , ( i always get a blank page as a response from the server).

 

will the LTM by default change the request comes to tcp 443 to tcp 80 on the server side or not ? do i need to change anything?

 

Best regards, Ahmad

 

4 Replies

  • Thanks for your response , kindly note that when i install the certificates on the physical server and bypass the F5 , i can login to the server without any issues

     

    here is an SSLsump 172.32.31.200 is the IP address of the virtual server and 10.255.155.137 is my IP. , .

     

    [root@EMP-LTMASM-1:Active:In Sync] tmp ssldump -nr /var/tmp/www-ssl-client.cap

     

    New TCP connection 2: 10.255.155.137(50487) <-> 172.32.31.200(443)

     

    New TCP connection 1: 10.255.155.137(50488) <-> 172.32.31.200(443)

     

    1 1 0.0041 (0.0041) C>S Handshake

     

    ClientHello

     

    Version 3.3

     

    cipher suites

     

    TLS_RSA_WITH_AES_128_CBC_SHA256

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    TLS_RSA_WITH_AES_256_CBC_SHA256

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

     

    Unknown value 0xc027

     

    Unknown value 0xc013

     

    Unknown value 0xc014

     

    Unknown value 0xc02b

     

    Unknown value 0xc023

     

    Unknown value 0xc02c

     

    Unknown value 0xc024

     

    Unknown value 0xc009

     

    Unknown value 0xc00a

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_MD5

     

    compression methods

     

    NULL

     

    1 2 0.0042 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    1 0.0042 (0.0000) S>C TCP FIN

     

    2 1 0.0048 (0.0048) C>S Handshake

     

    ClientHello

     

    Version 3.3

     

    cipher suites

     

    TLS_RSA_WITH_AES_128_CBC_SHA256

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    TLS_RSA_WITH_AES_256_CBC_SHA256

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

     

    Unknown value 0xc027

     

    Unknown value 0xc013

     

    Unknown value 0xc014

     

    Unknown value 0xc02b

     

    Unknown value 0xc023

     

    Unknown value 0xc02c

     

    Unknown value 0xc024

     

    Unknown value 0xc009

     

    Unknown value 0xc00a

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_MD5

     

    compression methods

     

    NULL

     

    2 2 0.0049 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    2 0.0049 (0.0000) S>C TCP FIN

     

    1 0.0060 (0.0018) C>S TCP FIN

     

    2 0.0069 (0.0019) C>S TCP FIN

     

    New TCP connection 3: 10.255.155.137(50489) <-> 172.32.31.200(443)

     

    New TCP connection 4: 10.255.155.137(50490) <-> 172.32.31.200(443)

     

    3 1 0.0034 (0.0034) C>S SSLv2 compatible client hello

     

    Version 3.1

     

    cipher suites

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

     

    Unknown value 0xc013

     

    Unknown value 0xc014

     

    Unknown value 0xc009

     

    Unknown value 0xc00a

     

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_MD5

     

    SSL2_CK_RC4

     

    SSL2_CK_3DES

     

    Unknown value 0xff

     

    3 2 0.0035 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    3 0.0035 (0.0000) S>C TCP FIN

     

    4 1 0.0034 (0.0034) C>S SSLv2 compatible client hello

     

    Version 3.1

     

    cipher suites

     

    TLS_RSA_WITH_AES_128_CBC_SHA

     

    TLS_RSA_WITH_AES_256_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_SHA

     

    TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013

     

    Unknown value 0xc014

     

    Unknown value 0xc009

     

    Unknown value 0xc00a

     

    TLS_DHE_DSS_WITH_AES_1 28_CBC_SHA

     

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA

     

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    TLS_RSA_WITH_RC4_128_MD5

     

    SSL2_CK_RC4

     

    SSL2_CK_3DES

     

    Unknown value 0xff

     

    4 2 0.0034 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    4 0.0034 (0.0000) S>C TCP FIN

     

    3 0.0053 (0.0018) C>S TCP FIN

     

    4 0.0051 (0.0016) C>S TCP FIN

     

    New TCP connection 5: 10.255.155.137(50491) <-> 172.32.31.200(443)

     

    New TCP connection 6: 10.255.155.137(50492) <-> 172.32.31.200(443)

     

    5 1 0.0032 (0.0032) C>S SSLv2 compatible client hello

     

    Version 3.0

     

    cipher suites

     

    SSL_RSA_WITH_RC4_128_SHA

     

    SSL_RSA_WITH_3DES_EDE_CBC_SHA

     

    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    SSL_RSA_WITH_RC4_128_MD5

     

    SSL2_CK_RC4

     

    SSL2_CK_3DES

     

    Unknown value 0xff

     

    5 2 0.0032 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    5 0.0033 (0.0000) S>C TCP FIN

     

    6 1 0.0033 (0.0033) C>S SSLv2 compatible client hello

     

    Version 3.0

     

    cipher suites

     

    SSL_RSA_WITH_RC4_128_SHA

     

    SSL_RSA_WITH_3DES_EDE_CBC_SHA

     

    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

     

    SSL_RSA_WITH_RC4_128_MD5

     

    SSL2_CK_RC4

     

    SSL2_CK_3DES

     

    Unknown value 0xff

     

    6 2 0.0034 (0.0000) S>C Alert

     

    level fatal

     

    value handshake_failure

     

    6 0.0034 (0.0000) S>C TCP FIN

     

    5 0.0052 (0.0019) C>S TCP FIN

     

    6 0.0050 (0.0016) C>S TCP FIN

     

    New TCP connection 8: 10.255.155.137(50494) <-> 172.32.31.200(443)

     

    New TCP connection 7: 10.255.155.137(50493) <-> 172.32.31.200(443)

     

    Version 2 Client.

     

    8 0.0031 (0.0031) S>C TCP FIN

     

    Version 2 Client.

     

    7 0.0043 (0.0043) S>C TCP FIN

     

    8 0.0047 (0.0016) C>S TCP FIN

     

    7 0.0058 (0.0015) C>S TCP FIN

     

  • have you tried "clientssl-insecure-compatible" clientssl profile?

     

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus

    Kind of a suggestion , This goal can also be achieved if you differentiate you DMZ segment from APP segment. Using Router between servers and BigIP LTM can give you ease to send your traffic for internal ASA or IPS/IDS Module.

     

  • If I may add, your capture is basically 6 different attempts to start an SSL handshake, starting with TLS1.2 and moving to TLS1.0. The odd thing is that the client's CLIENTHELLO message is met with an immediate failure by the server. This would usually indicate some egregious disparity between the client and server's capabilities. So quick questions then:

    1. Are you doing anything specific in the client SSL profile?
    2. Specific cipher selection?
    3. Any non-default settings?
    4. If you have made changes, what happens if you use a basic unmodified client SSL profile (except for the server cert and key)?

    And in case there's something missing from the logs, do you see any server side traffic with a tcpdump?

    tcpdump -lnni 0.0 port 80 and host y.y.y.y
    

    where y.y.y.y is the IP address of the web server.