Performance with SSL Server Offload

Question

Hello 
&nbsp; We haved changed Linux LVS for LTM to balance or SSL Apache Servers. During the migration, we have also installed the public SSL certificates in  
&nbsp; the LTMs to offload the Apaches, and we're are using internal certificates between the LTM and the Apaches. 
&nbsp; Since that, the measure of times to open the main page is quite worse than it used to be. 
&nbsp; After activating oneconnect profile with 255.255.255.255 mask, the performance has improved, but is still quite worse that it used to be. 
&nbsp; With an sniffer, the captures show that it looks as if certificate ciphering is continuously: 
&nbsp; Client Key Exchange. Chage Cipher Spe, Encrypted Handshake Message 
&nbsp;  
&nbsp;  
&nbsp; If the ssl profile and certificate are removed from the LTM, the sysmem behaves as it used to be. Ciphering is negotiatend at the beginning of the session. 
&nbsp; The LTM negotiates SSLv3 with client, when it has the certificate. The Apache serves negotiates TLS1

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; Which LTM version and platform are you using?  Can you try creating a custom server SSL profile and disabling SSLv2 and SSLv3 in the profile? 
&nbsp;  
&nbsp; If that doesn't work, you might try opening a case with F5 Support so they can review your full configuration and tcpdump/ssldumps. 
&nbsp;  
&nbsp; Aaron

soymanue · Answer

Hello 
&nbsp; I'm using version 10.0.1 build 283.0. 
&nbsp; The ssl profile has these ciphers chains: 
&nbsp; DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!DH:@STRENGTH 
&nbsp;  
&nbsp; Which looks like this: 
&nbsp;  0:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA    
&nbsp;  1:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA    
&nbsp;  2:  57 DHE-RSA-AES256-SHA              256  SSL3  Compat AES    SHA    EDH/RSA 
&nbsp;  3:  57 DHE-RSA-AES256-SHA              256  TLS1  Compat AES    SHA    EDH/RSA 
&nbsp;  4:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA    
&nbsp;  5:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA    
&nbsp;  6:  22 DHE-RSA-DES-CBC3-SHA            192  SSL3  Compat DES    SHA    EDH/RSA 
&nbsp;  7:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Compat DES    SHA    EDH/RSA 
&nbsp;  8:   4 RC4-MD5                         128  SSL3  Native RC4    MD5    RSA    
&nbsp;  9:   4 RC4-MD5                         128  TLS1  Native RC4    MD5    RSA    
&nbsp; 10:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA    
&nbsp; 11:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA    
&nbsp; 12:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA    
&nbsp; 13:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA    
&nbsp; 14:  51 DHE-RSA-AES128-SHA              128  SSL3  Compat AES    SHA    EDH/RSA 
&nbsp; 15:  51 DHE-RSA-AES128-SHA              128  TLS1  Compat AES    SHA    EDH/RSA 
&nbsp;  
&nbsp; I don't know how to put TLS1 before SSL3 
&nbsp;  
&nbsp; Thanks

soymanue · Answer

One more thing, 
&nbsp; How do I disable SSL3? !SSL3 o !SSLv3 don't seen to work. &nbsp;

Forum Discussion

Performance with SSL Server Offload

3 Replies

Recent Discussions

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

Related Content

Replacing vserver certificates (say for SSL offload) via CLI?

SSL cipher: improve performance

LDAP vs Active Directory Authentication performance.

SSL Passthrough, SSL Offloading and SSL Bridging

SSL Offload performance in F5 LTM Virtual Edition