Performance with SSL Server Offload

Question

Hello 
&nbsp; We haved changed Linux LVS for LTM to balance or SSL Apache Servers. During the migration, we have also installed the public SSL certificates in  
&nbsp; the LTMs to offload the Apaches, and we're are using internal certificates between the LTM and the Apaches. 
&nbsp; Since that, the measure of times to open the main page is quite worse than it used to be. 
&nbsp; After activating oneconnect profile with 255.255.255.255 mask, the performance has improved, but is still quite worse that it used to be. 
&nbsp; With an sniffer, the captures show that it looks as if certificate ciphering is continuously: 
&nbsp; Client Key Exchange. Chage Cipher Spe, Encrypted Handshake Message 
&nbsp;  
&nbsp;  
&nbsp; If the ssl profile and certificate are removed from the LTM, the sysmem behaves as it used to be. Ciphering is negotiatend at the beginning of the session. 
&nbsp; The LTM negotiates SSLv3 with client, when it has the certificate. The Apache serves negotiates TLS1

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; Which LTM version and platform are you using?  Can you try creating a custom server SSL profile and disabling SSLv2 and SSLv3 in the profile? 
&nbsp;  
&nbsp; If that doesn't work, you might try opening a case with F5 Support so they can review your full configuration and tcpdump/ssldumps. 
&nbsp;  
&nbsp; Aaron

soymanue · Answer

Hello 
&nbsp; I'm using version 10.0.1 build 283.0. 
&nbsp; The ssl profile has these ciphers chains: 
&nbsp; DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!DH:@STRENGTH 
&nbsp;  
&nbsp; Which looks like this: 
&nbsp;  0:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA    
&nbsp;  1:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA    
&nbsp;  2:  57 DHE-RSA-AES256-SHA              256  SSL3  Compat AES    SHA    EDH/RSA 
&nbsp;  3:  57 DHE-RSA-AES256-SHA              256  TLS1  Compat AES    SHA    EDH/RSA 
&nbsp;  4:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA    
&nbsp;  5:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA    
&nbsp;  6:  22 DHE-RSA-DES-CBC3-SHA            192  SSL3  Compat DES    SHA    EDH/RSA 
&nbsp;  7:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Compat DES    SHA    EDH/RSA 
&nbsp;  8:   4 RC4-MD5                         128  SSL3  Native RC4    MD5    RSA    
&nbsp;  9:   4 RC4-MD5                         128  TLS1  Native RC4    MD5    RSA    
&nbsp; 10:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA    
&nbsp; 11:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA    
&nbsp; 12:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA    
&nbsp; 13:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA    
&nbsp; 14:  51 DHE-RSA-AES128-SHA              128  SSL3  Compat AES    SHA    EDH/RSA 
&nbsp; 15:  51 DHE-RSA-AES128-SHA              128  TLS1  Compat AES    SHA    EDH/RSA 
&nbsp;  
&nbsp; I don't know how to put TLS1 before SSL3 
&nbsp;  
&nbsp; Thanks

soymanue · Answer

One more thing, 
&nbsp; How do I disable SSL3? !SSL3 o !SSLv3 don't seen to work. &nbsp;

Forum Discussion

Performance with SSL Server Offload

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

BIG-IP Oauth Client and AS

F5 BOT DEFENSE AWAF blocked some legitimate browsers

Advice to partial rename uri path

Submenus missing in ASM Security Tab

Related Content

Understanding Performance Metrics and Network Traffic

Performance Logging iRule (Rule_http_log)

Intermediate iRules: Evaluating Performance

What is server offload and why do I need it?

FTPS Offload via iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS