Forum Discussion

SM_80821's avatar
SM_80821
Icon for Nimbostratus rankNimbostratus
Jun 25, 2010

F5 end to end ssl with Win2k8R2 doesnt work

Hi

 

 

I have following topolgy where end to end ssl does not work with F5 proxy.

 

 

client (winxp or any)--[ssl]---F5--[ssl]--Server (windows2008R2)

 

 

-Just ssl termination on F5 and clear text on backend works

 

-End to end ssl with any other server like 2k3 or linux works

 

 

-With any cipher on w2k8R2 (RC4-MD5,AES128-SHA[default]) doesnt work. Handshake fails (actually TCP RST from F5 server side) after server sends CCS/Finished.

 

 

Has any one faced similar issues before? Any ideas, how to fix this?

 

 

Thanks

 

SM

 

config
design
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Jun 25, 2010
    Hi SM,

     

     

    Have you checked to make sure you have server and client SSL profiles associated with this virtual?

     

     

    -George
  • SM_80821's avatar
    SM_80821
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2010
    Yes. I have the virtual with both client-ssl and server-ssl attached.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 26, 2010
    If you do an ssldump looking for the serverside connection, what do you see in the handshake attempt?

     

     

    http://www.rtfm.com/ssldump/Ssldump.html

     

     

    Also, which LTM version are you running? Are you using the default server SSL profile or something more customized? If the latter, can you post an anonymized copy of the server SSL profile using 'b profile serverssl PROFILE_NAME list'?

     

     

    Aaron
  • SM_80821's avatar
    SM_80821
    Icon for Nimbostratus rankNimbostratus
    Jun 28, 2010
    Thanks for the reply.

     

     

    From server, last packet i see is:

     

     

    'client key exchange,change cipher spec,encrypted handshake message (finished)'

     

     

    client (here F5 ssl server side) sends RST tcp packet.

     

     

    I am using default ssl-server side profile and client-ssl profile is customized with my own certificate.

     

     

    It's a f6800 unit and version is BIG-IP 9.2.0 build 167.4

     

     

    Haven't updated the software in a while.

     

     

    Thanks

     

    SM

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 29, 2010
    Can you post an anonymized copy of the ssldump output? If you connect directly with a browser to the server via HTTPS does it work?

     

     

    Also, I'd strongly suggest you upgrade to a current LTM version when you're able to. 9.2.0 has a lot of known issues.

     

     

    Aaron
  • Michael_A__Fied's avatar
    Michael_A__Fied
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2010
    Hey gang, I had a similar issue recently, and it turned out that the server-side certificate was too big, according to SOL11743 Good luck!
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 11, 2010
    I think the 2048 bit cert/key limit is only for certs and keys that you import into LTM (and only for versions lower than 10.2.0). So server side SSL shouldn't be affected by the server using a 4096 bit cert/key. It would break if you were usng a client cert/key in the server SSL profile that was over 2048 bits.

     

     

    SM's problem sounds like it might be related to the SSL ciphers not being negotiated successfully between LTM and the server(s).

     

     

    Aaron