Configuring F5 Re-Encryption

Question

I think at this point, I have looked at every guide ever created on this domain, and am rather stumped to what is causing my configuration to fail. Here is a bit of background:&nbsp;
I have a tomcat server running as my app container. It allows both http traffic (port 8080) and https traffic (8443). Ideally, I will get rid of 8080 traffic, and only allow 8443 traffic on tomcat (Will disable the http connector/listener). I want F5 to authenticate clients (Some user on IE), inject some stuff into the headers (roles from AD), and then establish a secure connection with my tomcat server on 8443.&nbsp;
What I have so far:
When I create a pool that points to port 8080, and make my virtual server dish out Http connections (port 80), I can connect just fine. The same is true when I set the virtual server to dish out https connections (port 443), and point to the same pool of 8080.&nbsp;
However, the issue I have is when I try to connect to https pools. When I change the port to 8443, I create either of the two issues: 
a) Secure Connection Failed Error in the browser
b) Indefinite load, where no response is ever retrieved from the server&nbsp;
My Config:&nbsp;
Pool:: 
My pool is set to an ip, lets reference to it as 192.168.1.1 , on port 8443.
I have an https monitor attached to it, and it is green.
Note, I can also access this ip:port directly, and get my webpage&nbsp;
Virtual Server::
Source : 0.0.0.0./0
Destination: 10.10.10.1
Service port: 443 : HTTPS
Http profile: http
SSL profile (Client): sample_client_profile
SSL profile (Server): sample_server_profile
Source Address Translation: Auto Map
(Everything else was left at default)&nbsp;
sample_client_profile::
Parent Profile: clientssl
Certificate: default (already made by F5, and I did not modify it)
Key: default (already made by F5, and I did not modify it)
(Everything else was left at default)&nbsp;
sample_server_profile::
Parent profile: serverssl
Certificate: tomcat-cert (I imported the x.509 certificate that I use in tomcat keystore to access https)
Key: tomcat-key (I imported the *.openssl private key from my tomcat keystore)
Server Certificate: Require
(Everything else was left at default)&nbsp;
When I access my vs,  the view should show me something back alike the response when using the http pool. Instead, all that I see is "Secure Connection Failed" in my browser when this https pool is enabled. &nbsp;
Is there something evident here that I am missing to make the use of pools to work? I have been stumped on this for a few days now, and just cannot figure it out. Any help is appreciated&nbsp;
v/r
Dan&nbsp;

kevin_stewart · Answer

It would seem that all indications are pointing to the server side SSL connection, and there are a number of things that can cause a failure. At the very least you should set up an SSLDUMP between the BIG-IP and Tomcat server and watch that transaction. If there's an SSL handshake error, you'll see it in this capture.
ssldump -AdNn -i [internal VLAN name] port 8443 [and any additional filters]

Also consider the following:

It could be that the server doesn't support RFC5746 Secure Renegotiation. You'll actually see this in the LTM log, and you can control it by setting the Secure Renegotiation option in the BIG-IP's server SSL profile to Request.

It could be that the server doesn't support the ciphers and/or protocols presented by the BIG-IP. This one is a bit more complex to troubleshoot, but if this is the case you'll likely see the server send an alert message directly at the client's (BIG-IP's) ClientHello message. Take note of the ciphers used by your successful direct connection test and compare those to what the BIG-IP is sending.

It could be that the server requires a Server Name Indication (SNI) value. By default the server SSL profile doesn't send an SNI in the ClientHello, but you can add one in the Server Name field in the server SSL profile. This will usually also fail after the client's ClientHello message.

kevin_stewart · Answer

What does 'LTM' log stand for?

Local Traffic Manager

Where is this located?

/var/log/ltm

The easiest thing to do is SSH into the management shell and tail this log to show real time updates:
tail -f /var/log/ltm

I am still in the process of observing the ssldump, but understanding what one should look at (A Java developer in this case) is very confusing.

No problem, and it can definitely be overwhelming. If you get stuck you can just paste that SSLDUMP output in this thread for others to evaluate.

kevin_stewart · Answer

You said earlier that the monitor was green, so probably best to temporarily disable the pool monitor while doing an SSLDUMP capture. We want to see the actual request traffic by itself.&nbsp;

kevin_stewart · Answer

Reformatting:
1 1 0.0266 (0.0266) C&gt;S 
    SSLv2 compatible client hello 
    Version 3.1 
    cipher suites 
        TLS_RSA_WITH_RC4_128_MD5 
        TLS_RSA_WITH_RC4_128_SHA 
        TLS_RSA_WITH_AES_128_CBC_SHA 
        TLS_RSA_WITH_AES_256_CBC_SHA 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA 
        TLS_RSA_WITH_DES_CBC_SHA 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
        TLS_DHE_RSA_WITH_DES_CBC_SHA 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 
        TLS_RSA_EXPORT_WITH_RC4_40_MD5 
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 
        TLS_DH_anon_WITH_RC4_128_MD5 
        TLS_DH_anon_WITH_AES_128_CBC_SHA 
        TLS_DH_anon_WITH_AES_256_CBC_SHA 
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 
        TLS_DH_anon_WITH_DES_CBC_SHA 
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 
        TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
        TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 
        SSL2_RC4_128_WITH_MD5 
        SSL2_DES_64_CBC_WITH_MD5 
        SSL2_DES_192_EDE3_CBC_WITH_MD5 
        SSL2_RC4_128_EXPORT40_WITH_MD5 
        SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 
        SSL2_RC2_CBC_128_CBC_WITH_MD5 
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
TCP: 10.30.15.67(8443) -&gt; 10.10.20.190(60064) Seq 1045211207.(0) ACK 3197015237 
TCP: 10.30.15.67(8443) -&gt; 10.10.20.190(60064) Seq 1045211207.(0) ACK 3197015237 FIN 
1 0.0270 (0.0004) S&gt;C TCP FIN 
TCP: 10.10.20.190(60064) -&gt; 10.30.15.67(8443) Seq 3197015237.(0) ACK 1045211208 
TCP: 10.10.20.190(60064) -&gt; 10.30.15.67(8443) Seq 3197015237.(0) ACK 1045211208 RST 
1 0.0717 (0.0446) C&gt;S TCP RST

So I'm going to assume that you're looking at the client side of the F5 and that the client in this capture is actually the browser you're testing with? Or are you looking at the server side of the F5, and if so, what version of BIG-IP are you running?
You can see from the capture that the client sends an SSLv2 compatible ClientHello and then a list of REALLY old, deprecated and unsafe ciphers to the server. The server then immediately resets the connection. If I had to put money on it, I'd say the server was resetting based on the terrible list of ciphers sent by the client, and so it depends on which side of the F5 you took this capture, and who was the client (your browser of the F5 server side).

kevin_stewart · Answer

What you're showing in that last capture looks like a good SSL handshake. So to recap, where did the first capture come from and who was the client in that case? I'm worried about the very old ciphers presented from the client (some MD5, export, SSLv2, etc.). What type of client were you using?&nbsp;
And in the second capture, where did you take that from? And who is the client in this case?&nbsp;

Forum Discussion

Configuring F5 Re-Encryption

Recent Discussions

NAT for specific IPs

VIP needed for many UDP ports

remove ssh after gtm_add/bigip_add/big3d_add ?

What will be happen to live and existing connections when failover HA BIG IP active-standby

Creating Policy using Terraform

Related Content

Using Single Configuration File to Configure F5

TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE

Decrypt and Re-encrypt requests on F5

no sync GTM configuration?

Need help - Configure forwarding proxy chain

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS