Forum Discussion

MarkM_63051's avatar
MarkM_63051
Icon for Nimbostratus rankNimbostratus
Jan 23, 2012

HTTPS Problem

Hello,     Up until now using the F5 has been fairly straight forward. Adding HTTPS certificate support for incoming IE connections however has got me stumped. I have watched the online webinar ...
app sec
BIG-IP Access Policy Manager (APM)
security
MarkM_63051's avatar
MarkM_63051
Icon for Nimbostratus rankNimbostratus
Jan 24, 2012
What is your Server Side SSL set to in your VS?

 

 

Answer: No SSL Server Profile is selected = NONE

 

 

If you are not doing SSL on the Tomcat servers then you need to make sure it is set to None.

 

 

Answer: I am not performing an SSL setup to the Tomcat server in the pool.

 

 

When you look at your client profile drop down to advanced and what options are you customizing?

 

 

Answer: None, I have tried using both my own certificate and the default certificate

 

 

To troubleshoot this you need to keep in mind that it is not all one connection. You have an SSL connection coming to the VS on the F5 that is terminating and then the F5 will do its own socket to the server. So you need to troubleshoot each side independently, I would personally start with the client side (client to VS) and rule it out first before looking at the server side (VS to Tomcat server).

 

 

Client Side troubleshoot: Take a tcpdump on the F5 like Josh had stated, then run that through ssldump and see if the ssl handshake is completing successfully. ex: ssldump -r external.pcap If you want to decyrpt the session you will need to do this ssldump -d -A -k /config/ssl/ssl.key/(the name of the key for your site) -r external.pcap You basically want to confirm that the ssl handshake is completing and you see a GET request from the client. Another tool to use to troubleshoot the client side would Fiddler or HTTPWatch plugins for IE for Firefox, they will show you what the browser sees. From the server side, you keep saying you are seeing traffic in your wireshark trace, but what kind of traffic? Are you seeing a GET request to the web server? I ask because you should see traffic coming from the F5 in the form of whatever healthcheck you are doing on the pool to the web server, but that does not mean that it is actual client traffic. This should work, as simply doing an SSL VS is not something that is uncommon on an F5 device, I run roughly a dozen of them on some ASM units I manage.

 

 

Answer: This will take a little time to do, but I will try it. I did however perform a wireshart capture on the Tomcat server and it showed TCP connections to the F5.