Forum Discussion

Joe_L's avatar
Joe_L
Icon for Nimbostratus rankNimbostratus
May 17, 2019

HTTP profile & SSL profiles not playing nice.

So I am attempting to set up a VS that is HTTPS (443) listening and HTTPS (443) pool members. I use a standard VS. Here is where it gets interesting. If I DO NOT use an HTTP profile the HTTPS/SSL connection get proxied to the pool server just fine. If I add an HTTP profile and a certificate based Client SSL profile with standard Server SSL profile the connection does not work. However, if I changes the Client & Server SSL profiles to Proxy the SSL it works again.

 

I appears that having the F5 be the "man in the middle" is not being accepted by the back end pool member. I am not sure why this would be the case, but I have run myself into the ground messing with profiles and having the server admins changing setting on the servers. I am at a loss as to why this would happen.

 

Does anyone have any insight?

 

What more info do you need? (I am limited as to what I will be able to provide)

  • Hey Joe,

     

    when you you do not have an HTTP profile for an HTTPS virtual server, only the TCP connection is proxies, SSL is passed through to the pool members.

     

    Once the HTTP profile is added to the VS, you have put it in full layer 7 mode and SSL will be terminated on the VS. This means you need to add a clientssl profile to the virtual server, or it will reject the connection. This is by design.

     

    Whilst you will get a certificate error, are you able to the default clientssl and serverssl profiles on the VS along with an HTTP profile.

    If this works the problem may be an issue with one of the SSL profiles you have applied.

  • Does the server require client certificate authentication?

     

    When you set a client/server SSL profile to Proxy, the TLS handshake is negotiated directly between client and the pool member, so that certificate-based mutual authentication works.

     

    This situation can be quite difficult to resolve - you can set up certificate authentication on the Client-ssl profile, and require the client to present a certificate. You can also supply a client authentication certificate to the server-SSL profile, and present the server with a certificate for authentication.

     

    But you cannot easily pass the specific client authentication certificate from the client to the server. This is a problem where the specific client authentication certificate has a role to play on the server. In some cases, you can configure delegated authentication on the server, and pass the client auth certificate in an HTTP Header, or similar, but it very much depends on the role the certificate plays and how the server is set up.