For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

LBN_163833's avatar
LBN_163833
Icon for Nimbostratus rankNimbostratus
Jul 23, 2014

HTTPS Virtual Server return "This page is unavailable"

Hi,   I created a staging environment for my production environment (they are on a different network - FYI). one of the thing I needed to do is to create a virtual server for my webs machines to ...
BIG-IP
f5
https
ssl
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 24, 2014

As the others have stated, the client SSL profile is for the configuration of the client side SSL session, between the client and the F5. The server SSL profile is for the configuration of the server side SSL session, between the F5 and the server. To offload client side SSL, you need a client SSL profile. To re-encrypt to the server, you also need a server SSL profile. In most cases, you don't need to use anything other than the default serverssl profile. Consider in this case the F5 is the client in the SSL handshake to the server. The client says CLIENTHELLO and passes a list of acceptable ciphers. The server says SERVERHELLO and SERVERCERTIFICATE to both choose a cipher from that list and send its server certificate to the client, respectively. If this were happening on the client side, the server cert sent to the client by the F5 would need to be validated by the client, against its explicit CA trust bundle. If the request host didn't match the cert's subject value, the certificate was expired, or the client had no CAs to be able to validate a full chain of trust, the user would see that familiar certificate trust warning message. On the server side, that same thing is happening, the serverssl profile is designed by default to ignore this error. You can instruct it to do otherwise in the Server Authentication section of the profile, but that's rarely a requirement. Now, if the server is attempting to do mutual authentication by requesting a client certificate, that (client) certificate must come form the serverssl profile, statically embedded in the certificate and key values of the serverssl profile.

If you have all of the correct settings in place as descried above, I would recommend the following actions:

  1. Review the LTM log for additional SSL-related errors.

  2. Are you specifying a different cipher list in either profile?

  3. Does the server require a client certificate in the SSL handshake?

  4. Perform an SSL dump on both the client side SSL session, and on the server side SSL session and look for errors within.

    ssldump -k [path to private key] -AdNn -i 0.0 port 443 [and any additional filters]