SSL PROXY
I am looking at the SSL Proxy feature to see how it works and if there is possible benefits. I have gotten it to the point where the traffic is getting through and negotiation is "working". I have the apache backend and F5 agreeing to use the RSA TLS_RSA_AES256_GCM_SHA384.
Below is the output from the LTM logs. I have attached a screenshot of the packet capture.
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm7[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59978: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59978
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm7[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59978 -> 214.81.239.255:443
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil err tmm5[18879]: 01260015:3: Certificate supplied by server (subject CN: pool.nsoc.health.mil) was not configured on virtual: /Common/AZEE-PP-WTMP-MONITOR-TEST
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260009:4: 10.51.0.43:443 -> 10.51.0.6:59980: Connection error: ssl_hs_pxy_scan:17835: alert(46) no matching certificate
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 10.51.0.43:443 -> 10.51.0.6:59980
Jan 3 16:33:21 AZEE-M-WAF01-DMBIGIPVM-DHA-PP-Z1.nsoc.health.mil warning tmm5[18879]: 01260013:4: SSL Handshake failed for TCP 214.1.209.119:59980 -> 214.81.239.255:443
Hi sgnormo ,
maybe you have missed some configuration for ssl proxy feature , I understood from Pcap snapshot that F5 could not validate destination server certificate to pass it to the client , so as a result of this error in ssl sequance ( Specially regarding to ssl Proxy deployments ) F5 send RST packets to close ssl connection , so I see that F5 Resets the destination server (First RST) and the client as well ( Second RST ).
So , I susbect that , there are missing configuraton regarding ssl proxy or a certificate mismatch between F5 and destination server .
For that reason , Please follow this KB well to configure and build ssl proxy correctly :
https://support.f5.com/csp/article/K13385Also take a look in this Article :
https://support.f5.com/csp/article/K13393