Forum Discussion
NimbostratusSSL Offloading -> Certificate Unknown
Hi,
We were able to implement SSL offloading but recently required even the next flow of traffic to be https. Here's the flow:
Client browse HTTPS: VIP(1st) --> SSL Offloading --> HTTP nodes - it will then download jre files on the client desktop.
From Java GUI client will be asked for account credential that will be forwarded to another HTTPS: VIP(2nd) --> SSL Offloading --> HTTP node.
Note: VIP(1st) has its own client cert configure as well as VIP(2nd).
Do we have any good configuration for this requirement? It seems this is SSL certifcate issue that we're encountering on the Java.
upon checking the dump, it shows "Certification Unknown" upon triggering the VIP(2nd)
thanks
Ryan
2 Replies
- Kevin_Stewart
Employee
Are you requiring client certificate (mutual) authentication at either VIP? It may be a good time to start an SSLDUMP capture to see exactly where the SSL is breaking:
ssldump -k [path to private key] -i 0.0 -AdNn port 443 [and any additional filters]If you are requiring client certificate, you'll also need to make sure that the certificate that the client is presenting is trusted by virtue of the explicitly-assigned certificate authorities bundle in the client SSL profile.
- Kevin_Stewart
SSLv2 would be one of the problems, but also if you're requiring a client cert you MUST provide a CA bundle in the client SSL profile to be able to validate the client's certificate. It also appears in the ssldump that the client is failing the connection. Assuming it's because the server (F5) is sending a self-signed server cert, and the Java client has no way to validate it or allow you to continue.
