Forum Discussion
AltostratusAny approach to encrypting HSL traffic such that no plain text is ever sniffable?
Hi,
I took a look at this in my personal lab today, and I don't think this is possible. With HSL you only have the options of UDP or TCP (but not TLS) in either the iRule HSL::open command or when creating an HSL destination (sys log-config destination remote-high-speed-log).
I tried recreating your configuration. I thought that perhaps adding a clientssl profile to the HTTP VIP would result in the traffic on the client-side from the management port to this VIP being TLS encrypted, but in my packet capture I could still see the logs in plain text. It was only encrypted on the server-side, between the VIP and the back-end syslog server.
So unfortunately, it looks like the F5 BIG-IP can only send HSL traffic in plain text on the client-side. I am not aware of any other configurations that could be leveraged to achieve end-to-end TLS encryption for logs.
- zamroni777
MVP
Hsl isn't using http format, so you must remove http profile from the vserver.
Also remove the client side ssl profile from the vserver. If you put client side ssl profile, the vserver will only accept tls connections.
Good points.
It still means though that we do not have a way of encrypting the HSL on the client-side which is what @daboochmeister2 wants.
