Forum Discussion
NimbostratusQuery regdarding SSL client side cert
hi, I have VIP created for abc.om and SSL-CLient side certificate is attached. But, i'm unable get thorough SSL.
Backgournd: Server team installed same cert in server too and server is redirecting to another okta url xyz.com where ssl certificate seems to be getting from okta one.
when did packet capture , i was able to see
client hello
continuation data
54009>https ack
continuation data
https>54009 Ack but tcp check sum incorrect error
https>54009 FIN, ACK.
Wanted to understand, if i can apply the ssl client side on F5 VIP ? soemthing needs to be tweaked inorder for SSL to work on VIP.
Request you to help me with ssl client side certificate understanding.
Regards, Rajneehs
Do you have the SSL certificate also terminated on the back-end servers? If yes, you need to add a server-side SSL profile to the VIP (in addition to the client-side SSL profile)
modify ltm virtual profiles add { serverssl }
youssef1Cumulonimbus
Hi Rajneesh,
In your case you want to set interception (decryption).
So if your backend listen in tls (https) you must have an "ssl server" profile.
SSLclient allow you to manage traffic between client and F5 VS (client side).
But you have to add an "ssl server" profil in order to allow F5 to manage traffic between F5 and backend server (server side). without this profil F5 don't know how to manage tls traffic with your backend and you will receive a reset or FIN...
So you have to add an sslserver profil in your VS. you can use "serverssl-insecure-compatible".
Keep me in touch if you need more details
regards,
