For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Neil_Marks's avatar
Neil_Marks
Icon for Nimbostratus rankNimbostratus
Nov 26, 2019

Debugging ServerSSL Profile Setup

So I have a setup which basically is as follows: F5 LTM (terminates external https traffic) this needs to re-encrypt to a NGINX server, which is setup to passthrough traffic to a HA Proxy service wh...
application delivery
BIG-IP
LTM
ssl
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 26, 2019

So let's understand what is going on with the server-ssl profile and compare it to the curl command ...

curl --cacert ca-ocp.pem https://app1.openshift.test

Send a ClientHello to the SSL server app1.openshift.test.

When the ServerHello returns the certificate, validate it against the Certificate Authority defined in ca-ocp.pem before connecting.

With a server-ssl profile, we validate the returned certificate against the settings set in the Server Authentication section - the servers (pool members) are specifically defined, and may be configured with self-signed or non-public certificates, so we usually just trust them.

This is the equivalent of 

curl -k https://app1.openshift.test

But the server-ssl profile also does not know the name of the target server - the pool member is specified by IP. 

curl -k https://192.168.1.1

Here is where you probably fail - the target server needs a Server Name Indication (SNI) to identify the correct service to respond with. This is specified in the Server Name field of the server-ssl profile.

You also need to use an irule/Local Traffic Policy to select the correct server-ssl profile or pass-through the request SNI to the server-side ssl request:

SNI Routing with BIG-IP

Client side to server side SNI relay iRule