Forum Discussion
SSL PROXY
I am looking at the SSL Proxy feature to see how it works and if there is possible benefits. I have gotten it to the point where the traffic is getting through and negotiation is "working". I have the apache backend and F5 agreeing to use the RSA TLS_RSA_AES256_GCM_SHA384.
Below is the output from the LTM logs. I have attached a screenshot of the packet capture.
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm7[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59978: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59978
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59978 -> 214.81.239.255:443
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm5[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59980: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59980
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59980 -> 214.81.239.255:443
Hi sgnormo ,
maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST) and the client as well ( Second RST ).
So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server .
For that reason , Please follow this KB well to configure and build ssl proxy correctly :
https://support.f5.com/csp/article/K13385Also take a look in this Article :
https://support.f5.com/csp/article/K13393
Hi sgnormo ,
maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST) and the client as well ( Second RST ).
So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server .
For that reason , Please follow this KB well to configure and build ssl proxy correctly :
https://support.f5.com/csp/article/K13385Also take a look in this Article :
https://support.f5.com/csp/article/K13393
The ssl proxy feature is not very useful by itself. Nowadays F5 offers SWG or SSL Orchestrator as options. If you want to send traffic to many external devices like firewalls, IPS, ICAP the SSLO is the better option and it has guided configuration, so that you do not wonder if something was not configured.
- sgnormoCirrus
i know about the sslo and it used within another area of the organization, but that would have made it more complicated than what it would have to be for this situation.
If you do not need to direct the traffic to other devices after decrypting it then yup as in the backplane SSLO or SWG (SSLO is replacing SWG as SWG now can be a service for SSLO https://community.f5.com/t5/technical-articles/ssl-orchestrator-use-case-swgaas/ta-p/285469 ) also use the SSL proxy as a base feature and you can just review what the SSLO guided config has created as the VS that the traffic first hits to see how to configure the SSL proxy.
Still as a note you even with SSL proxy and LTM use the ICAP if you want to also not only decrypt the traffic 😉
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com