HTTP Profile causing cert issues

Question

Hi,
We have a situation where a VIP configured as SSL Passthrough (No SSL Profiles) seems to cause certificate errors between client and backend server when the VIP is configured with an http profile. 
The profile in question is configured as follows: 
ltm profile http fqdn.example.com_http {
    app-service none
    defaults-from http
    fallback-host none
    proxy-type reverse
}

The rest of the VIP:
ltm virtual fqdn.example.com-https-proxy {
    destination x.x.x.x:https
    ip-protocol tcp
    mask 255.255.255.255
    pool pool-fqdn.example.com-https-proxy
    profiles {
        tcp-wan-optimized { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 11
}

What happens in the traffic stream is that when there is an HTTP profile attached to the VIP, the server sends the certificate information to the client, and the client immediately responds with a TLS Fatal Error: Certificate Unknown.
We suspected a client-side issue until I removed the http profile on a hunch.
So my question is why does the HTTP profile cause an issue with the certificate?

simon_blakely · Answer

An HTTP profile only operates on decrypted data (i.e a client SSL profile that terminates SSL).&nbsp;
If you apply an HTTP profile to a SSL passthrough, the HTTP profile will terminate the connection (because the traffic is not valid HTTP). &nbsp;

Forum Discussion

HTTP Profile causing cert issues

1 Reply

Recent Discussions

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

Related Content

Regex issue

CMS causing False Positives

SSL Profiles

Server Profile SNI

Update your DevCentral user profile