SSL Certificate Test?

Surley the LTM should encrypt any client to VIP:7003 or on any other port with Client SSL profile assigned?

yes

can you try these?

 curl -Ik https://10.10.10.36:7003/
 curl -I http://10.10.10.36:7003/

Yes sure....but the actual test string https://10.10.10.36:7003/aip/index.jsp Hope thats ok? Results below as requested one for HTTPS and once for HTTP

 

curl -Ik https://10.10.10.36:7003/aip/index.jsp

 

HTTP/1.1 200 OK

 

Cache-Control: no-cache

 

Date: Mon, 19 May 2014 09:19:00 GMT

 

Pragma: no-cache

 

Content-Type: text/html;charset=UTF-8

 

Expires: Thu, 01 Jan 1970 00:00:00 GMT

 

Set-Cookie: JSESSIONID=jkytT5MGJhW0Bc6s8gZGpfzvDkzyLLMRHQ4QFwcQTcwTQsWnWLPj!1460775677; path=/; HttpOnly

 

X-ORACLE-DMS-ECID: 0000KOJliN833F8Lzik3yW1JSvvO0006lc

 

X-Powered-By: Servlet/2.5 JSP/2.1

 

Set-Cookie: PRE_AIP=3881370634.23323.0000; path=/

 

Transfer-Encoding: chunked

 

and

 

curl -I http://10.10.10.36:7003/aip/index.jsp curl: (52) Empty reply from server

 

curl -I http://10.10.10.36:7003/aip/index.jsp curl: (52) Empty reply from server

 

doesn't this mean traffic is already encrypted (since https works but http does not)?

 

I guess thats correct im not too familiar with Curl. I think the server is only expecting requests on http(s)://10.10.10.36:7003 and not just http://10.10.10.36:7003

 

Im just a bit worried that when TCPdumping on the VIP interface. The traffic is in clear from Client to VIP on 7003. This is the same on any port other than 443 and on v9 LTM too.

 

Im just a bit worried that when TCPdumping on the VIP interface. The traffic is in clear from Client to VIP on 7003. This is the same on any port other than 443 and on v9 LTM too.

 

i do not think you can see plain text unless you have key to decrypt it.

 

Are we saying that when I tcpdump on the F5 for VIP:7003 traffic, i can see plain text usernames and passwords because im running TCPdump on the F5 with which holds the key and cert for this vip?

 

If this was the case, i would expect to see the same usernames and password when TCPdumping on VIP:443 also?

 

i can see plain text usernames and passwords because im running TCPdump on the F5 with which holds the key and cert for this vip?

no, you have to supply private key to ssldump to decrypt it. tcpdump won't be able to decrypt traffic.

what tcpdump filter did you use? can you try something like this?

 tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 10.10.10.36 and port 7003 -v

CHeers Nitass,

 

i was running the following to capture everying on the ingress interface...... Im the only one with access to testing at the moment so mines the only traffic coming through.

 

tcpdump -nni Front_Interface -X -s0 host 10.10.10.36 -w /var/tmp/HTTPS-7003.dmp

 

iv also tested with your capture as requested above.

 

"tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 10.10.10.36 and port 7003 -v"

 

Same results im affaid, i can see the username and password still....

 

Hmmm im not sure whats going on here. I just want to be 100% that this traffic cant be sniffed on the wire or theres some sort of bug in TCPDUMP or TMOS.

 

Is anyone else experiencing this issue? Strange.