Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
May 14, 2016

Proxy SSL Cipher Suite

Hi,

 

I've been trying to make proxy ssl work from many days after a long research. I want to know if proxy ssl requires specific ciphers to be used? I am using DEFAULT for both client and server ssl profile. I am getting an error which could be related to ciphers.

 

Regards

 

application delivery
BIG-IP

21 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 14, 2016

    Hello

     

    What is the error message ?

     

    AFAIK, the proxy ssl feature support only RSA.

     

    No support for DH, EDH and ECC

     

    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      May 14, 2016
      Hi, What would be the appropriate line which i can write instead of DEFAULT in cipher suite filed for RSA? The error message seen on the explorer window, i still have not run the packet capture. I would do further troubleshooting once the cipher suits are correct. I am newbie :(
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 14, 2016
      Unfortunately, as there is no ssl bridging nor offloading configured on the bigip, ciphers are negociated between the browser and the backend server
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      May 15, 2016
      just wanted to know one thing. in the server ssl and client ssl profile, we would be providing on the Server certification. I have a single certificate for web server authentication as well as for client authentication. Do i need to get a certificate for server authentication only which would work?
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 14, 2016

    Hello

     

    What is the error message ?

     

    AFAIK, the proxy ssl feature support only RSA.

     

    No support for DH, EDH and ECC

     

    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      May 14, 2016
      Hi, What would be the appropriate line which i can write instead of DEFAULT in cipher suite filed for RSA? The error message seen on the explorer window, i still have not run the packet capture. I would do further troubleshooting once the cipher suits are correct. I am newbie :(
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 14, 2016
      Unfortunately, as there is no ssl bridging nor offloading configured on the bigip, ciphers are negociated between the browser and the backend server
    • Nuruddin_Ahmed_'s avatar
      Nuruddin_Ahmed_
      Icon for Cirrostratus rankCirrostratus
      May 15, 2016
      just wanted to know one thing. in the server ssl and client ssl profile, we would be providing on the Server certification. I have a single certificate for web server authentication as well as for client authentication. Do i need to get a certificate for server authentication only which would work?
  • Nuruddin_Ahmed_'s avatar
    Nuruddin_Ahmed_
    Icon for Cirrostratus rankCirrostratus
    May 16, 2016

    Thanks yann, you have been of great help. From the ssldump, i can see that some of the machines are matching ciphers, looks like it should be working for them but for my test machines i get a TCP reset straightway that could be because of cipher suit mismatch. Below are some of the logs -