Forum Discussion

sgnormo's avatar
sgnormo
Icon for Cirrus rankCirrus
Jan 03, 2023

SSL PROXY

I am looking at the SSL Proxy feature to see how it works and if there is possible benefits.  I have gotten it to the point where the  traffic is getting through and negotiation is "working".  I have the apache backend and F5 agreeing to use the RSA  TLS_RSA_AES256_GCM_SHA384.

Below is the output from the LTM logs.  I have attached a screenshot of the packet capture.

Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm7[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59978: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59978
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59978 -> 214.81.239.255:443
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm5[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59980: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59980
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59980 -> 214.81.239.255:443

  • Hi sgnormo , 
    maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST)  and the client as well ( Second RST ). 

    So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server . 
    For that reason , Please follow this KB well to configure and build  ssl proxy correctly : 

    https://support.f5.com/csp/article/K13385

    Also take  a look in this Article : 

    https://support.f5.com/csp/article/K13393

     

  • Hi sgnormo , 
    maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST)  and the client as well ( Second RST ). 

    So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server . 
    For that reason , Please follow this KB well to configure and build  ssl proxy correctly : 

    https://support.f5.com/csp/article/K13385

    Also take  a look in this Article : 

    https://support.f5.com/csp/article/K13393

     

  • The ssl proxy feature is not very useful by itself. Nowadays F5 offers SWG or SSL Orchestrator as options. If you want to send traffic to many external devices like firewalls, IPS, ICAP the SSLO is the better option and it has guided configuration, so that you do not wonder if something was not configured.