SSL make login slow

I think perhaps there are two issues here.

1. You apparently have an HTTP VIP that does nothing more than redirect requests to an HTTPS VIP. This is fine, but then consider what happens if every document reference in the returned HTML is for an http:// URL. For every object, the client has to make TWO requests. The best way to tell if this is actually happening is to perform a client side capture with a tool like Fiddler or HTTPWatch. If the client is indeed making two requests for many objects, then it's probably also a good idea to implement a STREAM rewrite iRule to replace all of those http:// references with https://. That way the client will talk directly to the HTTPS VIP. The STREAM::expression wiki page actually has a really good example of how to do that.

   STREAM::expression

2. There are also two separate SSL sessions here, at the VIP and at the web server. This too is fine, but consider the implications of first decrypting the traffic at the F5 and then re-encrypting to the server. You'll certainly get better performance in the client side SSL, but it'll be a wash on the server side. One of the F5's greatest strengths is its ability to process/offload SSL traffic really quickly, so it may be worth considering NOT re-encrypting to the web server. In lieu of that, you shouldn't need to put the server certs on the web server unless you have some (non-standard) reason to do so. Cryptography is CPU intensive, so you can expect it to be slower than without it.

We need to create new iRule. Can use like this:

when HTTP_REQUEST {
        Disable the stream filter for all requests
       STREAM::disable
    }
    when HTTP_RESPONSE {

        Check if response type is text
       if {[HTTPS::header value Content-Type] contains "text"}{

           Replace any http:// instance with https://, unless the original string is http://*example.com:
          STREAM::expression {@http://(?!.*?system\.com)@https://@}

           Enable the stream filter for this response only
          STREAM::enable
       }
    }

Also on on SSL_client properties in Ciphers we just use default. Can it be default or need to put any parameter?

Can we put this on Ciphers box?

ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM:@SPEED

We need to create new iRule. Can use like this:

The very basic expression for this would be:

{@http://@https://@}

Unless you need something more specific. Before you add this iRule though, I highly recommend you do the client side capture to determine if its actually needed (excessive HTTP-to-HTTPS redirects).

Also on on SSL_client properties in Ciphers we just use default. Can it be default or need to put any parameter?

The DEFAULT cipher profile is reasonably well tuned (and hardware accelerated). There's rarely a reason to vary from this setting.

Can we put this on Ciphers box?

Keep in mind that this is going, I assume, in the client SSL profile, which affects the SSL communications between the client and the VIP. If the clients are regular browsers, you shouldn't need to modify the DEFAULT cipher profile.

We will try this new config on night. Because of server on production we cannot test during office hours. On server side, we not putting any SSL. we just do redirect on F5.

i agree with Kevin i.e. to capture client-side traffic using either tcpdump/ssldump or http analyzer tool.

HttpFox

Hi,

I try to check SSL using this command:

openssl s_client -connect host.to.our.system.com:443

I get this error:

    New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 4585C1DC2D5EFE28197FC582D5DBCB5BC263468B1D33F5C3D3A6B13216E5D1DD
    Session-ID-ctx:
    Master-Key: 508F03208211204DABD9A691CAC300E2B3B1063F9A3E821AFB718C195FF4111D71E5503E42E6C9866248321AB61FF952
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1404266098
    Timeout   : 300 (sec)
    **Verify return code: 21 (unable to verify the first certificate)**

Any idea why?

This is full error:

[root@vsvr-console ~] openssl s_client -connect host.to.our.system.com:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=host.to.our.system.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=host.to.our.system.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=host.to.our.system.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=host.to.our.system.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgIHKz68rKQk1zANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTMxMjExMjI1NTA0WhcNMTQxMjAzMDQzOTQzWjBFMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxIDAeBgNVBAMTF2Vjb3B5cmlnaHQubXlp
cG8uZ292Lm15MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4pTsKG/H
LjawDZEtXM+mwg6Vew3U3ngk/xDm+YEaRrPlKc/jOPzNF+AXfggnBjjux8oEgXhm
tZTi8srS//lvOPtZCmbrHlB0Xmyk2UFYZVzFIEbmmpvr7aWP3zkNdaHbL1bfWqk8
sjgQeT0kyCxIe9iXscHa3gdHiLTmu9sfvP1RnhicMKO9nO1euho6mx/fp2ma254z
PKMwDMljUljh0MaLjRdRxDybsP7qiHiAhJVvOkqjJyLzvCFvGLEhgJAxfCtv0gDs
+SLMfElhG1gmvrhJ1zVh0mEtrirwJT46E8Pyh0FvQr3b/SeSIb6ufPfgTRx19Chq
x2Fzy+cpOsXBdQIDAQABo4IB0zCCAc8wDwYDVR0TAQH/BAUwAwEBADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDQGA1UdHwQt
MCswKaAnoCWGI2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RzMS0xMDQuY3JsMFMG
A1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2Nl
cnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEE
dDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYB
BQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
eS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q6
53aZaMznMD8GA1UdEQQ4MDaCF2Vjb3B5cmlnaHQubXlpcG8uZ292Lm15ght3d3cu
ZWNvcHlyaWdodC5teWlwby5nb3YubXkwHQYDVR0OBBYEFH+T4+FeLSP/lxy+6gYt
CHu4ycCrMA0GCSqGSIb3DQEBBQUAA4IBAQBCr4287/BAhdyA9MhN+MVrPjXtWNT0
gFgC/RXkvF6lviHEBZKwM4qH8nWMmskoH57/Devyy3D7HSqvgcSJf80koe+rxWVL
CKiOuT4dG6gJz5BwTN3iwO7dE/mtLXMfpdDXwdlk+sbeYEyfI+m6WjrkYSs4oy3j
iov4urctdAkWn7bjn+nwBcTJCSVfU3ijhDuHt1K5OwsuZrI69ZXyCzy+bBCDdBLC
DMRenBSvs+MJAzXu5UWEpBFAQ5ZzeK+Q2G87/vKaN4IlAWZ7mAK2kQKHslwWL7oh
gZsRcEzNpDWVZYwGtl3XD/m5lNiMOYFVu4/WQ6NZqsCeGOVngnxN5XCd
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=host.to.our.system.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 1556 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 4585C1DC2D5EF0A8197FC582D5DBCB5BC2648DDC1D33F741D3A6B13216E0875A
    Session-ID-ctx:
    Master-Key: CF968E8C26DB1215BE65614209DAE876995F57D0351A4DC3CCD272384E7AC3B0D99D6889A9960A1765C3B8DD80788CF4
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1404440552
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0

This isn't really telling you anything useful, other than your openssl client isn't presenting or able to validate any of the certificates. You need to:

1. Perform a client side layer 7 capture to see what the HTTP traffic looks like, and

    

2. Perform an ssldump capture on the client side, while testing with a browser, to what the SSL handshake looks like.