Forum Discussion

ToonVA's avatar
ToonVA
Icon for Cirrus rankCirrus
Dec 03, 2019

LDAPS LTM - SSL Offloading and Re-Encrypt not working

Hi All,

 

I received the question to make a VIP for LDAPS traffic but i stumble on some issues which i don't know how to solve.

VIP is listening on port 636 with client SSL profile assigned to it and we have as well a server SSL profile assigned for re-encypting to the backend servers.

After some test runs with the users and doing some dumps we can't seem to get it working and i am not sure if i missed something on my end or something missing on the backend servers (i don't have control/access on those servers).

 

Clients --> VIP (no SSL) --> BACKEND --> OK

Clients --> VIP (client-ssl) --> BACKEND --> NOK

Clients --> VIP (client-ssl + server-ssl) --> BACKEND --> NOK

 

The content of the certificate is just the URL name of the VIP (client-ssl profile) and for the other server-ssl we used both option with NO certificate and the same certificate content as in the client-ssl profile.

 

TCPDUMP shows that the SSL negotiation on clients side is OK but as soon as the re-encryption is initiated at the "client-hello" we see RST ACK from one of the backend servers.

 

So i am not sure if the content of the certificate is the problem here (but then it's the same result with server-ssl profile without cert. content) or something wrong on the backend server(s). Googling did not really help me on this topic as everything i found was either OLD or did not contain the useful information. Cipher strings are all set to DEFAULT to avoid compatibility issues and we even forced TLS1.0 only as well to exclude an issue on the protocol.

 

BIG-IP 13.1.0.8 Build 0.0.3 Point Release 8