For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

soymanue's avatar
soymanue
Icon for Nimbostratus rankNimbostratus
Jan 14, 2010

Performance with SSL Server Offload

Hello

 

We haved changed Linux LVS for LTM to balance or SSL Apache Servers. During the migration, we have also installed the public SSL certificates in

 

the LTMs to offload the Apaches, and we're are using internal certificates between the LTM and the Apaches.

 

Since that, the measure of times to open the main page is quite worse than it used to be.

 

After activating oneconnect profile with 255.255.255.255 mask, the performance has improved, but is still quite worse that it used to be.

 

With an sniffer, the captures show that it looks as if certificate ciphering is continuously:

 

Client Key Exchange. Chage Cipher Spe, Encrypted Handshake Message

 

 

 

If the ssl profile and certificate are removed from the LTM, the sysmem behaves as it used to be. Ciphering is negotiatend at the beginning of the session.

 

The LTM negotiates SSLv3 with client, when it has the certificate. The Apache serves negotiates TLS1
config
design

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 15, 2010
    Hi,

     

     

    Which LTM version and platform are you using? Can you try creating a custom server SSL profile and disabling SSLv2 and SSLv3 in the profile?

     

     

    If that doesn't work, you might try opening a case with F5 Support so they can review your full configuration and tcpdump/ssldumps.

     

     

    Aaron
  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2010
    Hello

     

    I'm using version 10.0.1 build 283.0.

     

    The ssl profile has these ciphers chains:

     

    DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!DH:@STRENGTH

     

     

    Which looks like this:

     

    0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA

     

    1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA

     

    2: 57 DHE-RSA-AES256-SHA 256 SSL3 Compat AES SHA EDH/RSA

     

    3: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA

     

    4: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA

     

    5: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA

     

    6: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Compat DES SHA EDH/RSA

     

    7: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA

     

    8: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA

     

    9: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA

     

    10: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA

     

    11: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA

     

    12: 47 AES128-SHA 128 SSL3 Native AES SHA RSA

     

    13: 47 AES128-SHA 128 TLS1 Native AES SHA RSA

     

    14: 51 DHE-RSA-AES128-SHA 128 SSL3 Compat AES SHA EDH/RSA

     

    15: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA

     

     

    I don't know how to put TLS1 before SSL3

     

     

    Thanks
  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2010
    One more thing,

     

    How do I disable SSL3? !SSL3 o !SSLv3 don't seen to work.