sniffer_375425
Feb 01, 2019Nimbostratus
Terminating SSL on F5 and re-encrypt to end server
Hello,
I need to use my F5 in next scenario:
Internet -> F5 -> WebApplicationProxy -> End node/server
On F5 i need to do ssl offload because i need to forward traffic based on information from header.
I configured both: SSL Profile Client and SSL Profile Server.
SSLDUMP F5 -> Server
New TCP connection 1: 10.99.11.36(11086) <-> 10.99.11.39(443)
1 1 0.0006 (0.0006) C>SV3.1(139) Handshake
ClientHello
Version 3.3
random[32]=
59 c2 05 9e 08 c6 ec ef d2 5b 61 82 23 8a 7e 21
cc e3 0b a1 e4 fe c2 f6 bd b9 5d a4 f0 81 0d ff
cipher suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
extensions
supported_groups
ec_point_formats
signature_algorithms
signature_algorithms[26]=
04 01 05 01 06 01 04 02 05 02 06 02 04 03 05 03
06 03 02 01 02 02 02 03 01 01
extended_master_secret
1 0.0012 (0.0006) S>C TCP RST
I also have one very strange situation, i did openssl from client and i get this: This is done when i configured F5 just to forward traffic no ssl offloding
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1549020813
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Does anyone have idea what to do?
Thanks.