Forum Discussion

mike_gatti_6169's avatar
mike_gatti_6169
Icon for Nimbostratus rankNimbostratus
Apr 17, 2008

SSL Pass Through

I have a pool of appliances that are running on port 443 with a self signed certificate that can not be changed (the vendor does not have an option to disable SSL and run the web interface on port 80)...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 17, 2008
That sounds like it should work...

 

 

If you don't have a server SSL profile on the VIP, the BIG-IP can't/won't try to validate the certificate that the pool member presents. Can you check the pool stats to see if there are any stats for the pool member? Or better, can you run another tcpdump on the BIG-IP checking for the client and server IP's to see what's happening at the TCP layer? You can listen on all switch interfaces using interface 0.0:

 

 

tcpdump -ni 0.0 host CLIENT_IP or host SERVER_IP

 

 

If you want to save the output to a binary file, you can use this:

 

 

tcpdump -ni 0.0 -s0 -w/var/tmp/`hostname`.ssl.dmp host CLIENT_IP or host SERVER_IP

 

 

Once you have a trace that includes both the client to VIP and SNAT to server traffic, you might be able to find clues at the TCP layer. Else, you can decrypt the trace using the web server's private key and ssldump (Click here).

 

 

Aaron