Forum Discussion
Alex_30981
Nimbostratus
NimbostratusSSL server profile problem
Hello everybody,
I am having trouble in the SSL sever profile setup of a LTM VE (Trial Version). I have surfed the Web looking for an answer but so far I have been unable to solve this problem.
What I want to do is SSL re-encryption by setting up a virtual server with two SSL profiles (client and server SSL profile). Unfortunately the server SSL profile seems to fail: when I connect with openssl from a client machine to the , the SSL handshake against the LTM is correctly fulfilled, but when I send a basic HTTP request it is not being forwarded to the backend server.
Analyzing network traces on all parties involved, I can see a correct SSL handshake between LTM and the two servers but there is no encrypted payload being sent from the LTM to the end machines.
I paste my server SSL profile down here:
profile serverssl VLAN3_SSL_PROFILE {
defaults from serverssl
key none
cert none
chain none
ca file "VLAN3.crt"
crl file none
ciphers "DEFAULT"
modssl methods disable
renegotiate enable
renegotiate period indefinite
renegotiate size indefinite
peer cert mode ignore
unclean shutdown enable
strict resume disable
handshake timeout 60
alert timeout 60
cache size 262144
cache timeout 3600
}
I should add that I have associated this profile to a virtual server with no issues and that there is no iRULE involved whatsoever. In addition to this, I have reused the client SSL profile for an SSL OFFLOAD virtual address which actually works, which has led me to suspect that this is a SSL server profile problem only.
Theoretically the steps to achieve what I want to do should be pretty straightforward, but since this is Trial Version I wonder if this could be some sort of bug. I will appreciate any help you can provide me. Thanks in Advance!!
Regards,
Alex
koenning_107182Hi Alex,
from the release notes:
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_ve_10_1_0.html
ClientSSL and ServerSSL profiles on same virtual server (CR141545)
When you assign both a ClientSSL and a ServerSSL profile to the same virtual server, the BIG-IP system forwards the client request successfully, but the client does not receive the response. To work around this issue, you can create two separate virtual servers that specify the same destination IP address and port. The first virtual server references the ClientSSL profile and an iRule that internally routes the connection to the second virtual server instead of to a load balancing pool. The second virtual server references the ServerSSL profile and the load balancing pool. The following is an example of an iRule assigned to a ClientSSL virtual server. The iRule includes the virtual command, which internally routes connections to a second virtual server named server_ssl_test. The second virtual server must have its VLAN disabled using the vlan none enable command:rule target_server_ssl { when CLIENT_ACCEPTED { virtual server_ssl_test } } pool b68_https { member 10.1.1.68:4443 } virtual client_ssl_test { destination 10.1.1.117:443 profile http clientssl tcp rule target_server_ssl } virtual server_ssl_test { destination 10.1.1.117:443 profile http serverssl tcp pool b68_https vlan none enable }
regards,
Christian Koenning- Awesome info Christian. Here is a tech tip that covers troubleshooting SSL profile issues with ssldump as well.
-George 
hooleylistCirrostratus
I'd recommend getting a 45 day eval key for VE lab edition from your F5 or partner SE. You can then install any supported VE version and use all of the modules. The trial is only good for 10.1 and has some limitations like this server SSL profile issue.
Aaron
