Forum Discussion

reen_sc_140631's avatar
reen_sc_140631
Icon for Nimbostratus rankNimbostratus
Mar 19, 2015

Difference between SSL::disable and SSL Profile

Hello Folks,

 

can someone explain me what's the difference between an SSL::disable serverside (in an iRule) and no selected SSL profile in the VS configuration.

 

I am wondering because the Server Connection (no SSL) is working only when I add the iRule with "SSL::disable serverside" command and default "serverssl" Profile in the VS. Without the "serverssl" Profile the connection isn't working anymore. Why do I need an SSL Profile in the VS configuration for an non SSL connection to the backend server?

 

Can someone explain me that?

 

Thanks a lot

 

3 Replies

  • Normally you don't configure server SSL profile(assigned to VS) if you do not want to SSL encrypt the communication between your LTM and the backend. The situation you describe is weird. Is server SSL somewhere else in your iRule enabled? Or in a LTM policy?

     

  • For the use of iRules which are referencing to

    SSL::enable serverside
    or
    SSL::disable serverside
    functions, the prerequisite is having a SSL serverside profile assigned to a virtual server.

    1) Having a SSL serverside profile assigned to a virtual server (and using

    SSL::disable serverside
    function in an iRule):

    - You are instructing F5 to exceptionally avoid negotiating a SSL session with the backend server. Useful if you want most of your f5-to-backend-server communication to be SSL, but create a few non-SSL exceptions.

    2) Not having a SSL serverside profile assigned to a virtual server:

    - F5 never negotiates a SSL session with a backend-server. You are unable to reference to
    SSL::enable serverside
    and
    SSL::disable serverside
    functions in an iRule. Useful if you want all of your F5-to-backend-server communication to be non-SSL.
  • No...I can't find any SSL parameters

    when SERVER_CONNECTED {
        if { [LB::server pool] eq "/partition/pool_http_tcp50000" } {
        SSL::disable serverside
        }
    }