Forum Discussion

APezuela's avatar
APezuela
Icon for Nimbostratus rankNimbostratus
May 07, 2021

F5 SSL Proxy question

Hi,

 

We have some obsolete server in our infraestructure and like you now new servers doesn't allow protocolos like TLS1.0 by default. So we want to use F5 like a proxy between old a new server, our idea is new server speaks to F5 BigIP using TLS1.2 and F5 BigIP speaks to the old server using TLS1.0 ¿Is that right? ¿Can I use F5 for that?

 

I create a virtual server with a client/server SSL profile with "SSL Proxy" checked. We configured the server profile with our wildcart certificate. But it is not working, we can see this messages in the log:

 

Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260009 Connection error: ssl_hs_pxy_scan:16122: no matching certificate (46) Fri May 7 11:27:20 CEST 2021 err F5DCPR tmm[16831] 01260015 Certificate supplied by server (subject CN: server1.pre.pre) was not configured on virtual: /Common/test_proxy_ssl_CLASS_DUPLICADO Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260013 SSL Handshake failed for TCP 10.xx.0.67:60795 -> 172.xx.152.59:443 Fri May 7 11:27:20 CEST 2021 warning F5DCPR tmm[16831] 01260013 SSL Handshake failed for TCP 172.xx.32.39:443 -> 172.30.152.225:60795

  • Apezuela,

     

    I believe that you need to use the SAME certificate on the F5 as the back end server to use SSL Proxy, otherwise you will get the error you mention that's described here https://support.f5.com/csp/article/K13393

     

    Have you tried having a clientssl profile and serverssl profile attached without the SSL Proxy tick box selected? I suspect that what you are actually wanting to achieve is what is described as "SSL Bridging" described here https://devcentral.f5.com/s/question/0D51T00006i7j36SAA/ssl-passthrough-ssl-offloading-and-ssl-bridging

     

    Rob