jpeterson6
Nov 16, 2017Nimbostratus
HTTP Profile causing cert issues
Hi,
We have a situation where a VIP configured as SSL Passthrough (No SSL Profiles) seems to cause certificate errors between client and backend server when the VIP is configured with an http profile.
The profile in question is configured as follows:
ltm profile http fqdn.example.com_http {
app-service none
defaults-from http
fallback-host none
proxy-type reverse
}
The rest of the VIP:
ltm virtual fqdn.example.com-https-proxy {
destination x.x.x.x:https
ip-protocol tcp
mask 255.255.255.255
pool pool-fqdn.example.com-https-proxy
profiles {
tcp-wan-optimized { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 11
}
What happens in the traffic stream is that when there is an HTTP profile attached to the VIP, the server sends the certificate information to the client, and the client immediately responds with a TLS Fatal Error: Certificate Unknown.
We suspected a client-side issue until I removed the http profile on a hunch.
So my question is why does the HTTP profile cause an issue with the certificate?