SSL Certificate Test?

Hey Corby,

The command i use is tcpdump -nni Front-INTERFACE -X -s0 host ...36 -w /var/tmp/Dump-7003.dmp

The cmnd is run on the Bigip to capture from client to VIP.

This is what is see in the browser tho....its a little strange... Its as if it recieves the info saying its encrypted but the https padlock is crossed out. TLS 1.2 with 128 bit encryption.

If i change the from VIP2:7003 to VIP2:443 and keep all the rest of the config the same it works.

The VIP2:7003 browser pic is pasted below. Im totaly stuck as you can see it says its encrypted but its not....

Your browser is showing that encryption is in fact working. Unsure why your packet capture is saying differently, unless it's capturing on some other data flow.

This is fine the padlock is crossed because you are using vip to access this not the host url for which this cert was created ex www.example.com or you using a self signed cert. I just wanted to make sure that your clientssl is kicking in when you are using 7003 vip.

Thanks all for your help so far...

Its a strange issue, So far im the only one with access to the VIP so im the only one generating the data flow. The cert is an internal cert but verified by an internal CA. The IP is just not in DNS yet :) Thanks for the info on that.

im just not sure why VIP:443 encrypts everything yet VIP:7003 with Client SSL profile doesnt.

Its a really a strange problem but because its on an internal LAN id rather be 100% right.

Thanks for all for your help, really appreciate it. If you can think of anything else for me to check or test let me know please and thanks again.

When you make the connection, your browser is showing TLS1.2 encryption so I don't think you have anything to worry about. The only way that encryption is going to be removed is if there's a proxy or server on the other end with the private key. Or a sophisticated man-in-the-middle which I doubt you have in your internal network.

yes, but whats worrying is that the caopture taken on the load balancer for VIP1:443 shows everything encrypted but VIP2:7003 shows full usernames and passwords.

Domai was right i installed a newer version of the my browser and edited the host file to get rid of the cross on the padlock in broswer.

So everything looks correct. I just need check with F5 TAC that iv not missed anything with the VIP:7003 + CLIent side SSL profile.

Thanks for all your help.

whats worrying is that the caopture taken on the load balancer for VIP1:443 shows everything encrypted but VIP2:7003 shows full usernames and passwords

you have assigned serverssl profile in the vip1, haven't you?

can you post the vip1 configuration?

 tmsh list ltm virtual (vip1 name)
 tmsh list ltm pool (vip1 pool name)

Hello,

Vip Config as above. This is for client side ssl as i only want to encrypt traffic from users browser to the VIP.

Vip Config as above

i think i do not see vip1 configuration.

This is for client side ssl as i only want to encrypt traffic from users browser to the VIP.

you are using clientssl profile in vip2, aren't you? vip1 is sending traffic to vip2, isn't it?

Hey Nitass,

No, theres no redirection between the VIPS. They are completely separate.

I was under the impression that i could encrypt any Client to VIP Traffic by assigning the client side SSL profile for a VIP on any port OTHER than 443 (VIP:HTTPS).

I wanted to encryp my client side browser SSL connections on VIP:7003. So i assigned it a Client SSL profile. This doesnt seem to be encrypting anything so i was wondering what the issue was?

On the other hand, VIP:https with client side encryption works perfectly fine.

Surley the LTM should encrypt any client to VIP:7003 or on any other port with Client SSL profile assigned?