Forum Discussion
Jad_Tabbara__J1
Cirrostratus
CirrostratusDoes F5 encrypts traffic internally from a VS to another VS ?
Dear community,
Context
VS_Parent with clientssl + serverssl profiles and an iRule (that is responsible for routing the traffic to the child VSs based on the FQDN for example)
VS_Child1 has clientssl + serverssl profiles
VS_Child2 has clientssl + serverssl profiles
All VSs are on the same BIGIP.
Client < Encrypted Channel 1 > VS_Parent < Encrypted Channel 2 > VS_Child1 or VS_Child2 < Encrypted Channel 3 > Pool_Member
Question
Based on the theory, the BIG-IP should have 3 encrypted channels
To confirm that, I've done a "tcpdump" on the child VS to see if the traffic is encrypted. I can't see any SSL packet using Wireshark.
Does F5 encrypts traffic routed from a VS_Parent to a VS_Child ? Or it doesn't encrypt it, in order to optimize resource utilization ?
Thanks for your help
Jad
Hi Jad,
I had already asked myself the question.
So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.
I validate my supposition by removing SSL Client in VS_Child and noticed that access to my service was not functional.
Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).
I advise you to process a ssldum using this kb:
https://support.f5.com/csp/article/K10209
So in child vs, initiate a basic capture:
tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443
then check ssl exchange:
ssldump -nr /var/tmp/www-ssl-client.cap
keep me in touch.
regards,
youssef1Cumulonimbus
Hi Jad,
I had already asked myself the question.
So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.
I validate my supposition by removing SSL Client in VS_Child and noticed that access to my service was not functional.
Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).
I advise you to process a ssldum using this kb:
https://support.f5.com/csp/article/K10209
So in child vs, initiate a basic capture:
tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443
then check ssl exchange:
ssldump -nr /var/tmp/www-ssl-client.cap
keep me in touch.
regards,
Jad_Tabbara__J1Hello Youssef,
Thanks for your answer. Using the "tcpdump + ssldump" I can see the SSL Handshake on the VS_CHILD...
Before posting my question, I've done same capture using tcpdump, but I used Wireshark to see the SSL Handshake.
My wireshark was not parsing the SSL traffic correctly, indeed using my colleague Wireshark we can see the SSL Handshake. I will re-install my wireshark to correct this.
So the issue come from my wireshark :D
Thank you you helped me to answer 2 questions in one :p
Regards
- youssef1
Hello Jad,
Glad to have been able to bring you my help my dear.
Regards