Forum Discussion
SSL Server Side Profile
I am looking for some help with SSL Server Profiles.
I am looking to decrypt/ASM/re-encrypt
If I connect directly to my backend server, everything works
I have installed CA cert and configured my SSL client.
If I set my backend connections to HTTP and do not apply a SSL server profile, everything works
If I then add a custom SSL server, with a parent profile of serverssl
I then switch to a pool of HTTPS and get a HTTP error 404 . The requested resource is not found
If I remove the server SSL profile and move back, everything is fine.
I'm unsure what if anything I am missing:
Should I
under configuration >> certificate
>> key
Server Authentication
Server certificate >> required
>> Trusted cert authorities (what cert do I need here)
Any help would be greatly appreciated
Hi Sjy,
There are 3 Types of SSL communication possible
- SSL Passthrough= No Client Side SSL Profile + No Server Side SSL Profile, that means F5 VIP will accept encrypted packets but F5 cannot see any packet headers and simply pass the SSL packets as it is to the backend pool members.
- SSL Offloading= Only Client Side SSL Profile No Server Side SSL Profile, communication between user and F5 VIP is encrypted traffic got decrypted and then further from F5 to the backend pool member is sent in PLAIN Text if your communication between F5 and backend pool is secured by firewall.
- Full SSL Proxy / SSL Re-Encryption=Both Client Side SSL Profile && Server Side SSL Profile are applicable, communication between user and F5 VIP is first encrypted traffic got decrypted using client SSL profile , and now F5 can see headers and data in SSL packets which are now visible in PLAIN text , & now F5 can see headers and modify if needed and once modification of packets done , then further from F5 to the backend pool member this PLAIN Text packets will again get re-encrypted using Server Side SSL profile, if your communication between F5 and backend pool is not secured by firewall , in those conditions its safe to re-encrypt the packets using Server Side SSL profiles and send those encrypted packets to the backend pool members.
Your case is kind of SSL passthrough where F5 will just accept the encrypted packet on vServer we call it Virtual Sever in F5 or simple VIP, and pass it to the backend pool members as it is as due to the absence of client side ssl profile F5 is unable to decrypt these packets just arrived at the VIP , without seeing the packet from inside , until you provide SSL key to decrypt the packet first into plain text and then read the packet headers and packet content and then later on you can think of making any changes to the F5 ciphers or any other headers or anything , please consider modification of SSL packets is not allowed till you decrypt them with a SSL key after receiving encrypted packets, the only method to decrypt encrypted packets on F5 after arrival is through applying CLIENT SIDE SSL profile, hope it explains what you are looking for.
In your case as you mentioned above , Without getting the relevant cert and key (in some cases chain certificate also required but that is optional and case by case dependency)from the remote site or your backed pool members , you cannot apply SSL profiles on your F5 VIP or vServer, as without having a key to decrypt the encrypted packet received on vServer , F5 have no visibility to decrypt the SSL packets and look inside the packet headers and no way to modify any weak ciphers or do any sort of modification on any headers as if packet is encrypted it is not allowed to make any modifications during the transit, else if you try to apply any modification the packet will get tampered and once it will reach the destination packet will b declared modified before reaching the destination and will be kind of MIM or Man In the Middle attack and will be discarded or dropped.
If your packets are plain text then only you can apply server side SSL profile, else you will re-encrypt the packets received at vServer and now encrypted packet is encrypted once more and now it has 2 SSL layers, still your inside SSL packet headers still contain the weak ciphers, this will not help.
To apply a Server Side SSL profile only, your traffic received at vServer should be first decrypted to Plain Text with the help of Client SSL Profile before forwarding to the backend pool members , else it will fail if you encrypt an encrypted packet twice.
HTH
the pool member https endpoint might have mismatch hostname configuration.
you need to analyze the pool member https spec.from any linux prompt run:
curl -vk -L https://10.1.1.1:443/abc/def -H 'Host: www.company.com'
change the ip and port to pool member address
and Host header value to the hostname of client requestthe vk parameter will show many details of the tls session setup which you can later use for f5 server side ssl profile.
- sjy2025
Nimbostratus
Thanks for the feedback, really appreciated.
I managed to resolve my issue, almost immediately after posting my thread. I updated the trusted certificates authority and everything started working
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com