Forum Discussion
NimbostratusLTM SSL Offloading
Dears, I have an application server that uses http port 80 , this server is installed behind an F5 LTM and IPS we are now requested to encrypt the traffic going to the server using SSL offloading , the traffic from the clients to the F5 should be encrypted using an SSL client profile and the traffic between the F5 and the server needs to be sent as clear text to make sure that the IPS can read it.
my question is: i created a VS on the F5 that listens to HTTPS and i uploaded the certificates and assigned them to an SSL client profile and we kept the physical server listening to HTTP (port 80) but that didn't work , ( i always get a blank page as a response from the server).
will the LTM by default change the request comes to tcp 443 to tcp 80 on the server side or not ? do i need to change anything?
Best regards, Ahmad
4 Replies
Ahmad_Mohaidat_Thanks for your response , kindly note that when i install the certificates on the physical server and bypass the F5 , i can login to the server without any issues
here is an SSLsump 172.32.31.200 is the IP address of the virtual server and 10.255.155.137 is my IP. , .
[root@EMP-LTMASM-1:Active:In Sync] tmp ssldump -nr /var/tmp/www-ssl-client.cap
New TCP connection 2: 10.255.155.137(50487) <-> 172.32.31.200(443)
New TCP connection 1: 10.255.155.137(50488) <-> 172.32.31.200(443)
1 1 0.0041 (0.0041) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc027
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc02b
Unknown value 0xc023
Unknown value 0xc02c
Unknown value 0xc024
Unknown value 0xc009
Unknown value 0xc00a
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
compression methods
NULL
1 2 0.0042 (0.0000) S>C Alert
level fatal
value handshake_failure
1 0.0042 (0.0000) S>C TCP FIN
2 1 0.0048 (0.0048) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc027
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc02b
Unknown value 0xc023
Unknown value 0xc02c
Unknown value 0xc024
Unknown value 0xc009
Unknown value 0xc00a
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
compression methods
NULL
2 2 0.0049 (0.0000) S>C Alert
level fatal
value handshake_failure
2 0.0049 (0.0000) S>C TCP FIN
1 0.0060 (0.0018) C>S TCP FIN
2 0.0069 (0.0019) C>S TCP FIN
New TCP connection 3: 10.255.155.137(50489) <-> 172.32.31.200(443)
New TCP connection 4: 10.255.155.137(50490) <-> 172.32.31.200(443)
3 1 0.0034 (0.0034) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc009
Unknown value 0xc00a
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
SSL2_CK_3DES
Unknown value 0xff
3 2 0.0035 (0.0000) S>C Alert
level fatal
value handshake_failure
3 0.0035 (0.0000) S>C TCP FIN
4 1 0.0034 (0.0034) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc009
Unknown value 0xc00a
TLS_DHE_DSS_WITH_AES_1 28_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
SSL2_CK_3DES
Unknown value 0xff
4 2 0.0034 (0.0000) S>C Alert
level fatal
value handshake_failure
4 0.0034 (0.0000) S>C TCP FIN
3 0.0053 (0.0018) C>S TCP FIN
4 0.0051 (0.0016) C>S TCP FIN
New TCP connection 5: 10.255.155.137(50491) <-> 172.32.31.200(443)
New TCP connection 6: 10.255.155.137(50492) <-> 172.32.31.200(443)
5 1 0.0032 (0.0032) C>S SSLv2 compatible client hello
Version 3.0
cipher suites
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
SSL2_CK_3DES
Unknown value 0xff
5 2 0.0032 (0.0000) S>C Alert
level fatal
value handshake_failure
5 0.0033 (0.0000) S>C TCP FIN
6 1 0.0033 (0.0033) C>S SSLv2 compatible client hello
Version 3.0
cipher suites
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
SSL2_CK_3DES
Unknown value 0xff
6 2 0.0034 (0.0000) S>C Alert
level fatal
value handshake_failure
6 0.0034 (0.0000) S>C TCP FIN
5 0.0052 (0.0019) C>S TCP FIN
6 0.0050 (0.0016) C>S TCP FIN
New TCP connection 8: 10.255.155.137(50494) <-> 172.32.31.200(443)
New TCP connection 7: 10.255.155.137(50493) <-> 172.32.31.200(443)
Version 2 Client.
8 0.0031 (0.0031) S>C TCP FIN
Version 2 Client.
7 0.0043 (0.0043) S>C TCP FIN
8 0.0047 (0.0016) C>S TCP FIN
7 0.0058 (0.0015) C>S TCP FIN- nitass
Employee
have you tried "clientssl-insecure-compatible" clientssl profile?
EmadCirrostratus
Kind of a suggestion , This goal can also be achieved if you differentiate you DMZ segment from APP segment. Using Router between servers and BigIP LTM can give you ease to send your traffic for internal ASA or IPS/IDS Module.
- Kevin_Stewart
If I may add, your capture is basically 6 different attempts to start an SSL handshake, starting with TLS1.2 and moving to TLS1.0. The odd thing is that the client's CLIENTHELLO message is met with an immediate failure by the server. This would usually indicate some egregious disparity between the client and server's capabilities. So quick questions then:
- Are you doing anything specific in the client SSL profile?
- Specific cipher selection?
- Any non-default settings?
- If you have made changes, what happens if you use a basic unmodified client SSL profile (except for the server cert and key)?
And in case there's something missing from the logs, do you see any server side traffic with a tcpdump?
tcpdump -lnni 0.0 port 80 and host y.y.y.ywhere y.y.y.y is the IP address of the web server.
