SSL Re-Encryption - No SSL traffic on server side

Question

Hi,&nbsp;
I configured SSL re-encryption on F5 virtual edition, but I don't see SSL traffic on server side.&nbsp;
Client correctly connects to outside IP of F5, but when I create TCPDUMP there is no SSL traffic on server side&nbsp;
I'm using self signed certificates on client side and default sslserver profile on server side.&nbsp;
I belive that problem is not on SSL level because there is nothing in log and f5 even does not start SSL handshake...&nbsp;
On other side, when I try with openssl coman, SSL session is correctly setted up.&nbsp;
pls help.&nbsp;

mate_132781 · Accepted Answer

Thank you for hint! :-)&nbsp;

To be sure I disabled HTTPS monitor on BIG-IP and after that there was no any traffic to server. After starting HTTPS connection from client I noticed that F5 used outside IP adress (one to which client connected) as a source IP address torward server. SNAT auto-map was enabled on VS.&nbsp;

After that I created SANT pool with inside IP address of F5, associate it with VS and now everything is working.&nbsp;

Monitor traffic confused me in TCPDUMP.&nbsp;

Thanks for help.&nbsp;

hannes_rapp · Answer

How do you determine presence or no presence of SSL traffic? Do you open your capture file and expect to see TLS/SSL messages? SSL/TLS messages, such as CLIENTHELLO are only seen after you import the SSL private key to WireShark (private key from end-server). Before that is done, all traffic is encrypted, and can only be seen as TCP 443 stream.&nbsp;
On a very basic level, I hope you're aware that if you configure serverssl profile, that configuration itself doesn't re-encrypt traffic before forwarding it to end-server, unless your end-server listener is SSL-enabled, and correctly presents a SSL certificte. The serverssl profile configuration only enables F5 itself to act as a client during SSL handshake phase.&nbsp;

hannes_rapp_162 · Answer

How do you determine presence or no presence of SSL traffic? Do you open your capture file and expect to see TLS/SSL messages? SSL/TLS messages, such as CLIENTHELLO are only seen after you import the SSL private key to WireShark (private key from end-server). Before that is done, all traffic is encrypted, and can only be seen as TCP 443 stream.&nbsp;
On a very basic level, I hope you're aware that if you configure serverssl profile, that configuration itself doesn't re-encrypt traffic before forwarding it to end-server, unless your end-server listener is SSL-enabled, and correctly presents a SSL certificte. The serverssl profile configuration only enables F5 itself to act as a client during SSL handshake phase.&nbsp;

mate_132781 · Answer

Access to WEB servers is working and pure HTTP is disabled on application.

I'm aware of things you wrote. Thank you very much for help. :-)

mate_132781 · Answer

Access to WEB servers is working and pure HTTP is disabled on application.

I'm aware of things you wrote. Thank you very much for help. :-)

Forum Discussion

SSL Re-Encryption - No SSL traffic on server side

5 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

SSL Full Proxy - SSL Re-Encryption performance degradation

fellow traffic

Route traffic to specific sorry server path

Block traffic

Getting TCP Reset-0 from server when routing HTTPS traffic via F5