Forum Discussion
APezuela
Nimbostratus
NimbostratusF5 SSL Proxy question
Hi,
We have some obsolete server in our infraestructure and like you now new servers doesn't allow protocolos like TLS1.0 by default. So we want to use F5 like a proxy between old a new server, our idea is new server speaks to F5 BigIP using TLS1.2 and F5 BigIP speaks to the old server using TLS1.0 ¿Is that right? ¿Can I use F5 for that?
I create a virtual server with a client/server SSL profile with "SSL Proxy" checked. We configured the server profile with our wildcart certificate. But it is not working, we can see this messages in the log:
Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260009 Connection error: ssl_hs_pxy_scan:16122: no matching certificate (46) Fri May 7 11:27:20 CEST 2021 err F5DCPR tmm[16831] 01260015 Certificate supplied by server (subject CN: server1.pre.pre) was not configured on virtual: /Common/test_proxy_ssl_CLASS_DUPLICADO Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260013 SSL Handshake failed for TCP 10.xx.0.67:60795 -> 172.xx.152.59:443 Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260013 SSL Handshake failed for TCP 172.xx.32.39:443 -> 172.30.152.225:60795
Rob_StonhamCirrus
Apezuela,
I believe that you need to use the SAME certificate on the F5 as the back end server to use SSL Proxy, otherwise you will get the error you mention that's described here https://support.f5.com/csp/article/K13393
Have you tried having a clientssl profile and serverssl profile attached without the SSL Proxy tick box selected? I suspect that what you are actually wanting to achieve is what is described as "SSL Bridging" described here https://devcentral.f5.com/s/question/0D51T00006i7j36SAA/ssl-passthrough-ssl-offloading-and-ssl-bridging
Rob