Redirecting out of HTTPS

Is the SSL terminating on the BIGIP or is it on the pool member?

 

 

CB

terminating on the f5. Looks like it worked but there was a conflicting irule on the http side redirecting some back to the https side.

 

 

After i fixed that problem it looks like there are some external webtrend links that we're sending in regular http, so the user got a message saying some parts of the page we're not ssl , so I did a http_reponse rewrite that changed everythign to https. and now there is a certificate error on the page because the webtrends image is coming from an ssl site that doesn't match the url in the user browser.. Any ideas on how to fix that other then removing the external webtrends tracking images from an ssl site?

 

 

 

 

I didn't think most browsers would generate a security warning if certain content was served via HTTPS from a non-local domain. If you use HttpFox for Firefox or Fiddler for IE, what request generates the warning? What is the exact text of the warning?

 

 

Aaron

So, there wouldn't be a certificate error usually if an ssl page had content from two separate ssl sites if one doesn't match the url you went to in the address bar?

 

 

lets say I went to https://www.americanexpress.com and inside that page there is an image from https://status.webtrends.com/id/image233424.gif?blahblah.

 

 

Maybe my rewrite code is too all inclusive I used

 

 

 

when HTTP_RESPONSE {

 

STREAM::disable

 

if {[HTTP::header value Content-Type] contains "text"}{

 

STREAM::expression {@[hH][tT][tT][pP]://@https://@}

 

STREAM::enable

 

}

 

}

 

Posted By robert.henson@fishnetsecurity.com on 09/15/2009 7:34 AM

 

So, there wouldn't be a certificate error usually if an ssl page had content from two separate ssl sites if one doesn't match the url you went to in the address bar?

 

lets say I went to https://www.americanexpress.com and inside that page there is an image from https://status.webtrends.com/id/image233424.gif?blahblah.

 

 

 

 

Correct. That's what I've seen. If you're still getting a cert warning, can you use a browser plugin, wait for the error message, clear the logs and then click okay on the warning to load the content. You should then see the request which is triggering the error.

 

 

What is the exact error message? What is the request being made to and is it http:// or https://?

 

 

Aaron

fiddler didn't show any errors? But if we use IE to goto the page it has a bar pop-up at the top says problems with the certificate? it is because we have some certificates that are local for testing and trusting manually and some from webtrends and sharethis are real?

 

this is the content after accepting the errors.

 

 

CONNECT stage.test.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Host: stage.test.com

 

Pragma: no-cache

 

________________________________________

 

CONNECT stage.test.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogoACgAxAAAACQAJACgAAAAFASgKAAAAD0hPTDAwMjE1MUhPTUVPRkZJQ0U=

 

Pragma: no-cache

 

Host: stage.test.com

 

 

The data sent represents an SSLv3-compatible ClientHello handshake. For your convenience, the data is extracted below. Major Version: 0 Minor Version: 0 Random: null SessionID: null Ciphers: null

 

________________________________________

 

CONNECT w.sharethis.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Host: w.sharethis.com

 

Pragma: no-cache

 

________________________________________

 

CONNECT w.sharethis.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogoACgAxAAAACQAJACgAAAAFASgKAAAAD0hPTDAwMjE1MUhPTUVPRkZJQ0U=

 

Pragma: no-cache

 

Host: w.sharethis.com

 

 

The data sent represents an SSLv3-compatible ClientHello handshake. For your convenience, the data is extracted below. Major Version: 0 Minor Version: 0 Random: null SessionID: null Ciphers: null

 

________________________________________

 

CONNECT w.sharethis.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Host: w.sharethis.com

 

Pragma: no-cache

 

________________________________________

 

CONNECT w.sharethis.com:443 HTTP/1.0

 

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)

 

Proxy-Connection: Keep-Alive

 

Content-Length: 0

 

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB7IIogoACgAxAAAACQAJACgAAAAFASgKAAAAD0hPTDAwMjE1MUhPTUVPRkZJQ0U=

 

Pragma: no-cache

 

Host: w.sharethis.com

 

 

The data sent represents an SSLv3-compatible ClientHello handshake. For your convenience, the data is extracted below. Major Version: 0 Minor Version: 0 Random: null SessionID: null Ciphers: null

 

I'd guess that's an indication from the browser of an improperly chained server certificate--not an issue with some of the content being served from an external domain.

 

 

If you use a cert issued by a cert authority that the browser already has installed by default, the warning won't appear. Or if you have control over the client browser(s), you could install the root cert and the cert would be accepted. For a CA issued cert you may need to configure LTM to send a chain cert which ties the server cert to a root cert in the browser.

 

 

Aaron

So in production environment with a valid certificate from a valid CA like entrust we wouldn't be seeing this error?