Altostratus
AltostratusHi mihaic,
Thank you for your answer. I tried to add this iRule, but it seems than SSL Forward Proxy needs a licence on the BigIP device, which I don't have:
Nov 2 08:34:44 f5-0905 crit tmm2[20835]: 01260000:2: Profile /INFRA-DEV/smtp-dev.domain.com_CS: Forward Proxy is enabled without a license.For I think I will change my mind and let commuinication between F5 and the server unencrypted (SSL ofload).
Thank you very much for taking the time to answer me!
Regards,
Yanick
AdminThe iRule itself does not require forward proxy, I think that's a profile setting that is unnecessary with the irule (see below). Sam comments on this on the linked codeshare entry, if you still want to pursue the solution you're after.
Probably can disable these specific lines:
ltm profile client-ssl smtp.domain.com_CS {
ssl-forward-proxy enabled
ssl-forward-proxy-verified-handshake enabled
}
AltostratusHi JRahm,
On an F5 lab appliance we have deployed, we have all available licences, but it is limited to 10Mb/s.
I tried the iRule, but I was getting the same issue:
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139865767704464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1667338630
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
When using openssl (in STARTTLS mode), to test the connection, I will see on the /var/log/ltm, the "CLIENT_ACCEPTED" from the iRule debug line:
if { $DEBUG } { log local0. "CLIENT_ACCEPTED" }
Then it took maybe 10-15 seconds and the message "Didn't find STARTTLS in server response, trying anyway..." will appear.
I will now try your suggestion and disable ssl-proxy from the CS.
I'll keep you posted.
Thank you again for your reply.
Regards,
Yanick
AltostratusHi again!
I did the test, and I have the same result. Here is the config I have:
ltm profile client-ssl smtp-dev.domain.com-proxy-fwd_CS {
app-service none
cert-key-chain {
smtp-dev.domain_Sectigo_cert_chain_0 {
cert smtp-dev.domain.com_SECTIGO
chain /Common/Sectigo_cert_chain.crt
key smtp-dev.domain.com_SECTIGO
}
}
defaults-from /Common/udes_clientssl_profile
inherit-ca-certkeychain true
inherit-certkeychain false
}ltm profile server-ssl smtp-dev.domain.com-proxy-fwd_SS {
allow-expired-crl enabled
app-service none
defaults-from /Common/udes_serverssl_profile
peer-cert-mode ignore
revoked-cert-status-response-control ignore
unknown-cert-status-response-control ignore
}ltm virtual smtp-dev-25_vs {
creation-time 2022-11-02:10:30:50
destination 1.1.1.1%6:smtp
ip-protocol tcp
last-modified-time 2022-11-04:09:07:59
mask 255.255.255.255
partition INFRA-DEV
pool smtp-dev-25_pool
profiles {
/Common/tcp { }
smtp-dev.domain.com-proxy-fwd_CS {
context clientside
}
smtp-dev.domain.com-proxy-fwd_SS {
context serverside
}
}
rules {
smtp-starttls_rule
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 20
}
I'm using the iRules from the article postes by mihaic. Have the same behavior as described on my last post.
So, I think we will just use the F5 in passthru mode (no SSL) and install the certificate directly on the servers.
If someone has any suggestion I will be happy to test.
Thank you again for your help!
Yanick