Forum Discussion

Not_The_Good_Ke's avatar
Not_The_Good_Ke
Icon for Altocumulus rankAltocumulus
Sep 05, 2017

SSL decryption/re-encryption w/iRule feeding into HTTPS load balance

Hi Folk,   I'm attempting to set up SSL interception on a pair of F5 LTM in our DMZ that will feed into a second pair of F5 that is load balancing the HTTPS session internally on our network.   ...
application delivery
LTM
security
ssl
  • Not_The_Good_Ke's avatar
    Not_The_Good_Ke
    Nov 01, 2017

    I was able to get the service working after discovering the issue using tcpdump to capture the full flow of traffic.

     

    What I found was the client side SSL profile was working correctly, the LTM was intercepting the traffic and was decrypting the flow, and was using TLS 1.2. However when the LTM’s server side profile negotiated SSL with the server it was somehow settling on TLV 1.0, which the server rejected. I changed the cipher list in the SSL server profile to only use TLS 1.2 and everything worked.

     

Not_The_Good_Ke's avatar
Not_The_Good_Ke
Icon for Altocumulus rankAltocumulus
Nov 01, 2017

I was able to get the service working after discovering the issue using tcpdump to capture the full flow of traffic.

 

What I found was the client side SSL profile was working correctly, the LTM was intercepting the traffic and was decrypting the flow, and was using TLS 1.2. However when the LTM’s server side profile negotiated SSL with the server it was somehow settling on TLV 1.0, which the server rejected. I changed the cipher list in the SSL server profile to only use TLS 1.2 and everything worked.