Forum Discussion

JamesE_234305's avatar
JamesE_234305
Icon for Nimbostratus rankNimbostratus
Oct 17, 2017

SSL Intercept SHA1 Certificate

I am trying to set up SSL intercept to decrypt outbound SSL for inspection. I am not doing anything fancy just a basic decryption zone between the internal and external F5. Everything works except ...
application delivery
BIG-IP
LTM
security
  • Pedro_Roure_249's avatar
    Pedro_Roure_249
    Jul 26, 2018

    I opened a support ticket with F5 and the F5 engineer who answered the ticket made the following recommendation:

     

    "configure a trusted certificate authority bundle in the server ssl profile. The default bundle contains many well-known public CA certs for server-side processing."

     

    After I did this, the problem was solved.

     

    Thanks.

     

JamesE_234305's avatar
JamesE_234305
Icon for Nimbostratus rankNimbostratus
Oct 23, 2017

ltm virtual SSLi-Ingress { destination 0.0.0.0:any ip-protocol tcp mask any pool SSL-Ingress-Any profiles { SSLi-Ingress-Client { context clientside } SSLi-Ingress-Server { context serverside } http { } tcp { } } rules { SSLi-with-URL } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port enabled vs-index 18 }

 

ltm profile client-ssl SSLi-Ingress-Client { alert-timeout indefinite allow-dynamic-record-sizing disabled allow-expired-crl disabled allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 bypass-on-client-cert-fail disabled bypass-on-handshake-alert disabled ca-file none cache-size 262144 cache-timeout 3600 cert cybersec-subca.crt cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name } cert-key-chain { cybersec-subca_cyberrootca { cert cybersec-subca.crt chain cyberrootca.crt key cybersec-subca.key } } cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain cyberrootca.crt cipher-group none ciphers DEFAULT client-cert-ca none crl-file none defaults-from clientssl destination-ip-blacklist none destination-ip-whitelist none forward-proxy-bypass-default-action intercept generic-alert enabled handshake-timeout 10 hostname-blacklist none hostname-whitelist none inherit-certkeychain false key cybersec-subca.key max-active-handshakes indefinite max-aggregate-renegotiation-per-minute indefinite max-renegotiations-per-minute 5 maximum-record-size 16384 mod-ssl-methods disabled mode enabled notify-cert-status-to-virtual-server disabled ocsp-stapling disabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore peer-no-renegotiate-timeout 10 proxy-ca-cert cybersec-subca.crt proxy-ca-key cybersec-subca.key proxy-ssl disabled proxy-ssl-passthrough disabled renegotiate-max-record-delay indefinite renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled retain-certificate true secure-renegotiation require server-name none session-mirroring disabled session-ticket disabled session-ticket-timeout 0 sni-default false sni-require false source-ip-blacklist none source-ip-whitelist none ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 strict-resume disabled unclean-shutdown enabled } ltm profile server-ssl SSLi-Ingress-Server { app-service none ca-file ca-bundle.crt cert ca-bundle.crt defaults-from serverssl key default.key peer-cert-mode require secure-renegotiation request ssl-forward-proxy enabled ssl-forward-proxy-bypass enabled ssl-sign-hash sha256 }