For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

basemsousan1985's avatar
basemsousan1985
Icon for Nimbostratus rankNimbostratus
Dec 29, 2016

SSL Bridging issue

Hi Guys,   Actually, I am new regarding to SSL operations.   I am going to create a Virtual Server which will plays SSL bridging between the clients and the nodes,   between the Virtual...
application delivery
BIG-IP
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 29, 2016

Normally the server SSL profile doesn't matter. As the client in this case, it's receiving the server's cert in the SSL handshake, which it will silently ignore if it can't validate it. You can install a CA bundle in the server SSL profile to validate the server's cert, but generally you don't have to. The only other things you might need to worry about would be:

 

  1. Cipher compatibility - the DEFAULT cipher stack should be able to accommodate later web servers. Otherwise you can switch to the built-in 'serverssl-insecure-compatible' profile, which supports older ciphers.

     

  2. RFC5746 renegotiation - the generic server SSL profile requires strict adherence to RFC5746 "Secure Renegotiation", which is sometimes not supported by older servers. Again you can switch to the 'serverssl-insecure-compatible' profile to test this, or simply set Secure Renegotiation option in your server SSL profile to 'Request'.

     

I'd start with the generic server SSL profile though, as that'll work most of the time.