Forum Discussion
NimbostratusHTTP Profile causing cert issues
Hi,
We have a situation where a VIP configured as SSL Passthrough (No SSL Profiles) seems to cause certificate errors between client and backend server when the VIP is configured with an http profile.
The profile in question is configured as follows:
ltm profile http fqdn.example.com_http {
app-service none
defaults-from http
fallback-host none
proxy-type reverse
}
The rest of the VIP:
ltm virtual fqdn.example.com-https-proxy {
destination x.x.x.x:https
ip-protocol tcp
mask 255.255.255.255
pool pool-fqdn.example.com-https-proxy
profiles {
tcp-wan-optimized { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 11
}
What happens in the traffic stream is that when there is an HTTP profile attached to the VIP, the server sends the certificate information to the client, and the client immediately responds with a TLS Fatal Error: Certificate Unknown.
We suspected a client-side issue until I removed the http profile on a hunch.
So my question is why does the HTTP profile cause an issue with the certificate?
1 Reply
Simon_BlakelyEmployee
An HTTP profile only operates on decrypted data (i.e a client SSL profile that terminates SSL).
If you apply an HTTP profile to a SSL passthrough, the HTTP profile will terminate the connection (because the traffic is not valid HTTP).
