SSL Certificate Test?

Brilliant thanks for the help.

The issue i was having was that i created two VIPs

VIP1 on port (443) which load balanced to port 7013 plus + SSL profile and relevant certs. VIP2 on port (8003) which load balanced to port 8003 + SSL profile and relevant certs.

VIP1 encrypted everything as expected but VIP2 would not encrypt anything on port 8003.

The only way i could get VIP2 to encrypt is either change from VIP2:8003 to VIP:443 or redirect using an irule.

Currently for VIP2:8003 the TCPdump shows Get/ post/ usernames and passwords but for VIP1:443 with the same config the tcpdump shows encryption.

Is there any way of keeping the initial definition fo VIP2:8003 and still use SSL encrypt?

Yes. You can just apply a client SSL profile to your port 8003 virtual server. That'll force SSL encryption between the client and that virtual server. SSL doesn't care about the TCP port being used.

Cheers Corby,

I already tried this on Viprion Version 11 and on Bigip V9. I created VIP2:8003 with ssl client and VIP1:443 with client ssl profile.

I then ran the URL on and TCPdump. The TCPDUMP for VIP2 shows data and username and password.

Whereas, VIP:443 + client SSL profile, the tcpdump shows everything as encrypted.

Im not sure what the issue is with VIP2:8003 not encrypting data but any ideas?

Can you post the configuration for your 8003 virtual server? From tmsh would be best (list ltm virtual virtualservername). Also the SSL profile and any associated iRules also applied to that virtual server. Sanitized, of course.

Cheers Corby, much appreciated...

Please see below. If you need anything else let me know please as this is driving me mad.

ltm virtual VIP2 {

description VIP2
destination 10.10.10.36:7003
ip-protocol tcp
mask 255.255.255.255
persist {

    COOKIE_PERSIST {
        default yes
    }
}
pool VIP2POOL
profiles {
    SSL-PROFILE {
        context clientside
    }
    HTTP_COMPRESSION { }
    HTTP_PROFILE { }
    analytics { }
    tcp { }
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
vlans-disabled

}

ltm pool VIP2POOL {

load-balancing-mode least-connections-member
members {
    SERVER1:7003 {              
        address 10.10.10.10        
        session monitor-enabled
        state down
    }
    SERVER2:7003 {              
        address 10.10.10.11     
        session monitor-enabled
        state down
    }
}
monitor HTTP_MONITOR
service-down-action reselect
slow-ramp-time 0

}

ltm monitor http HTTP_MONITOR {

defaults-from http
destination *:7003
interval 30
recv "200 OK"
send "GET /aip/index.jsp HTTP/1.1\\r\\nHost: \\r\\nConnection: Close\\r\\n\\r\\n"
time-until-up 0
timeout 91

}

ltm persistence cookie COOKIE_PERSIST {

app-service none
cookie-name PRE_COOKIE
defaults-from cookie

}

ltm profile http HTTP_PROFILE {

app-service none
defaults-from http
header-insert "WL-Proxy-SSL: true"
redirect-rewrite matching

}

ltm profile http-compression HTTP_COMPRESSION {

app-service none
content-type-exclude none
content-type-include { application/vnd.ms-publisher "application/(xls|excel|msexcel|ms-excel|x-excel|x-xls|xmsexcel|x-ms-excel|vnd.excel|vnd.msexcel|vnd.ms-excel)"
"application/(word|doc|msword|winword|ms-word|x-word|x-msword|vnd.word|vnd.msword|vnd.ms-word)"
"application/(xml|x-javascript|javascript|x-ecmascript|ecmascript)"
"application/(powerpoint|mspowerpoint|ms-powerpoint|x-powerpoint|x-mspowerpoint|vnd.powerpoint|vnd.mspowerpoint |vnd.ms-powerpoint|vnd.ms-pps)"
"application/(mpp|msproject|x-msproject|x-ms-project|vnd.ms-project)"
"application/(visio|x-visio|vnd.visio|vsd|x-vsd|x-vsd)" "application/(pdf|x-pdf|acrobat|vnd.pdf)" }
defaults-from httpcompression

}

tcpdump -nni 0.0 -X -s0 host 10.10.10.36 -w /var/tmp/PRE-AIPONLINE.dmp

ltm profile client-ssl SSL-PROFILE {

app-service none
cert SSL.net.crt
defaults-from clientssl
key SSL.net.key

}

you can also run a test on ssllabs to check your server from client side.

So everything looks good in your configuration. If you are taking the capture on the client side of this connection (to/from 10.10.10.36), then it should absolutely be encrypted. Can you post a screenshot of the Wireshark capture showing the unencrypted layer 7 data?

Your two pool members are failing the HTTP health check though. This will prevent connection from the client to the server through the BIG-IP.

hey Corby, yes the HTTP monitor was failing but is now up. Hope its clear enought to see Https://rlogin

and the username NICKN password etc...

let me know your thoughts please.

When you hit this vip do you see the cert info on the browser? ( the padlock)

Yep, certainly no SSL used in this capture. What I don't see in the capture is the specified TCP port. Is this capture taken on the BIG-IP or the client, and is it destined for the port 7003 virtual server with the configuration you posted above?