Forum Discussion
2 Replies
- Henrik_GyllkranNimbostratus
Without having tested it myself my guess is it will encrypt it again, leading to a very confused backend server.
- Jason_AdamsEmployee
Well, let's consider how an LTM operates with various profiles:
On the clientside, you will have a TCP profile, which will cause TCP Delayed Binding.
[SYN] C -> LTM [SYN,ACK] C <- LTM [ACK] C -> LTM
- TCP 3-Way-Handshake is now complete.
-
Client sends the next segment, which will be load-balanced and sent to a pool member:
[Client_Hello] C -> LTM
The LTM will then make a load-balancing decision and establish a connection with a pool member. And, because a Server-SSL Profile is applied, the LTM will perform SSL Delayed Binding:
[SYN] LTM -> S [SYN,ACK] LTM <- S [ACK] LTM -> S [Client_Hello] LTM -> S [Server_Hello] LTM <- S [Key_Exchanges...etc, SSL negotiation completes]
-
The next thing that will happen is the LTM will forward the [Client_Hello] from the clientside to the pool member.
-
However, because the SSL Negotiation has already occurred, [Client_Hello] will be received by L7 Application Server. In my lab, the response is a '400 Bad Request' from the server.
So to answer your question, no it will not simply send 'Encrypted' data to the back-end server. It will begin by sending the Clients' [Client_Hello] to the pool member, which will be received on Layer 7. In my lab, the server will simply respond with a '400 Bad Request', and the connection will complete.
What will actually occur is that the clientside will never successfully negotiate an SSL Connection.