Forum Discussion

Abhijeetm's avatar
Abhijeetm
Icon for Altostratus rankAltostratus
Feb 27, 2024

client and server ssl profiles

I am new to f5 asm, in our environment we have set up a website behind WAF in transparent mode, We have installed a wildcard certificate on real web server and replicated it on waf using client and server ssl profiles.

However, when we attach this created custom profiles to virtual server site doesn't work. Interestingly, when we replace it with client/server-insecure-compatible ssl profiles site works properly.

Furthermore, site works normally when we bypass waf.

 

What steps should we take to address this issue?

asm
client-insecure-compatible
clientssl
security
server-insecure-compatible
serverssl
ssl
waf

4 Replies

Sort By
  • zamroni777's avatar
    zamroni777
    Icon for Cumulonimbus rankCumulonimbus
    Feb 28, 2024

    client (side) profile means config to be used by F5 when communicating with client.
    server (side) profile means config to be used by F5 when communicating with server.

    you should put the CA-authorized certificate in F5's client profile.
    if your wild card certificate is CA-authorized, not self signed, then you should put it in the client profile.

    for server side profile, usually you can simply use the default server profile.
    and the webserver can also use self signed certificates.
    i usually configure weaker ciphers for server side profile, e.g. AES128 instead of AES256, to reduce server load.

     

  • Abhijeetm's avatar
    Abhijeetm
    Icon for Altostratus rankAltostratus
    Mar 01, 2024

    I configured a custom cipher group with less secure ciphers(ECDHE+AES128) and I replaced it with f5-default cipher group in my custom ssl profile. Now site is working with ssl.

    I quess our web server was configured with such less secure cipher only.Which was causing ssl handshake to fail on f5 waf.

  • Abhijeetm's avatar
    Abhijeetm
    Icon for Altostratus rankAltostratus
    Mar 14, 2024

    Continuing from where we left off, the issue has now been resolved by doing the above changes, but still I don't think I have understood the issue clearly.

     

    I had taken packet captures on F5 one when f5-default profile was attached and another when client/server insecure compatible profiles were attached.

     

    Can anybody help me understand and compare these two packet captures.

     

    I have attached both the screenshots.

     

    Thank You.

     

    • zamroni777's avatar
      zamroni777
      Icon for Cumulonimbus rankCumulonimbus
      Mar 15, 2024

      we cant conclude the root cause from the picture because, not like client, ssl server doesnt disclose list of accepted ciphers.
      ssl server just picks one match from cipher list sent by client.
      you need to get the webserver config from the webserver admin.

      it is normal in configuring LB that LB admin communicates with web/app server admin because LB is actually more application layer than network layer.

      i guess your first ecdhe-aes128 server profile doesnt work because webserver doesnt accept ecdhe.
      ecdhe is processing is quite heavy btw