Forum Discussion

InquisitiveMai

Cirrostratus

Nov 11, 2025

Solved

SSL Offloading and Backend pool https

Trying to setup a VIP without any SSL profiles and see a error as below

client----https://abcd.xyz.com:8444 ----- F5 ---- Pool abcd1:8444 with HTTPS

The VIP is configured with HTTPS and backened server has HTTPS pool, see the pool member up with https monitor. When trying to access I see the below

Without Client SSL profile, I see 403 Request's Host header does not match with server's name. Will this be fixed if the abcd1 has abcd1 and abcd in its cert?

With Client SSL Profile using wildcard cert, I see ERR_RESPONSE_HEADERS_TRUNCATED. What does this error mean?

Applying a client and Server SSL profile gives the same error as above 403 Request host header

Can someone point me to some good article explaining these errors and what happens between F5 and the backend pool member when there is no ssl server profile and we have only client ssl profile

application delivery

Paulius
Nov 16, 2025
That is correct, adding the names including the CN into the subject alternative names section should correct your issue with the SSL certificate. That error you're receiving in your browser is because the browser has decided it's malformed information or some other information that could cause issues so it sends you that error instead. Using SSL over a non-standard port shouldn't cause any issues as long as you aren't using a port that is used by some other well known application. You should be able to do the following in your browser and it will be fine.

https://www.example.com:8444/

Sending this to the pool members on 8444 shouldn't cause an issue either. The only thing that I can see causing a problem is if you have an HTTP profile configured when you aren't terminating SSL on the LTM. If you are just listening on 8444 and sending traffic to a pool that has each member configured as 8444 or any other port it will work. Just make sure you have the FQDN you are using in the CN or subject alternative name and it shouldn't produce an error. Because of new rules with SSL certificates you need to make sure the FQDN in the CN also exists in the subject alternative name as well as all other names.

8 Replies

Paulius
MVP
Nov 12, 2025
Would you be able to provide the configuration of your virtual server and pool please? Now as far as your error is concerned, the pool member you're being balanced to does not contain the FQDN that you are using in the SSL cert as the CN or alternate names. Take the following as an example.

client request https://www.example.com/hello -> VS -> Pool -> pool member 1

Pool member 1 will see www.example.com as the name sent but pool member 1 could only have example.com in the CN or alternate name and would produce that error. In order to correct this issue you would need the FQDN to exist in the CN and/or alternate name field as to not produce the error.
- InquisitiveMai
  Cirrostratus
  Nov 14, 2025
  Thank you. So the 403 host header error will be fixed by adding all the names in alternate names in the cert?
  The VIP is configured as HTTPS and uses non default port
  
  What does ERR_RESPONSE_HEADERS_TRUNCATED mean?
  - Paulius
    MVP
    Nov 16, 2025
    That is correct, adding the names including the CN into the subject alternative names section should correct your issue with the SSL certificate. That error you're receiving in your browser is because the browser has decided it's malformed information or some other information that could cause issues so it sends you that error instead. Using SSL over a non-standard port shouldn't cause any issues as long as you aren't using a port that is used by some other well known application. You should be able to do the following in your browser and it will be fine.
    
    https://www.example.com:8444/
    
    Sending this to the pool members on 8444 shouldn't cause an issue either. The only thing that I can see causing a problem is if you have an HTTP profile configured when you aren't terminating SSL on the LTM. If you are just listening on 8444 and sending traffic to a pool that has each member configured as 8444 or any other port it will work. Just make sure you have the FQDN you are using in the CN or subject alternative name and it shouldn't produce an error. Because of new rules with SSL certificates you need to make sure the FQDN in the CN also exists in the subject alternative name as well as all other names.
Injeyan_Kostas
Nacreous
Nov 12, 2025
Hello,

If you do not use server SSL profile then F5 will not do SSL handshake with backend server. Therefore it will fail if backend server uses https.
Shyy
Cirrus
Nov 12, 2025
Well, you must use client ssl thats for sure since the client is accessing the web link using https.
Issue most likely coming from the back-end since the server itself is supposed to work with https according to what you've stated
if you keep the https access for the client(virtual server) and change the pool members to http does everything work correctly with only the client ssl profile?
- InquisitiveMai
  Cirrostratus
  Nov 17, 2025
  With Passthrough VIP how does SSL handshake work | DevCentral
RavinderSingh13
Altocumulus
Nov 12, 2025
Hello Folks(newbie here), sorry don't want to hack this thread. I have posted 2 questions from my profile but its still showing waiting for Approval, what could I do in this case please, could someone please do help here, cheers.
ngockq
Altostratus
Nov 17, 2025
can you use option "ssl server imcompatible" on server ssl profile.