Forum Discussion

Glen_Pill_33018's avatar
Glen_Pill_33018
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

ssl service working on safari but not with chrome or firefox

Hi guys,

 

 

I've been setting up a POC with the LTM v10.1 VM trial and I'm running into a weird issue I'm hoping someone can assist with.

 

 

 

I've set up a simple https service, whereby the user browses to https://172.18.8.101, the f5 terminates the ssl connection, then starts up a new https connection to the back-end service.

 

 

 

Because of the ssl issues in the v10.1 VM trial, I've had to workaround the issues with having a client-side and server-side ssl config on the same VS, so that may indeed be part of my issues. I have a test 3600, so that will be my next step, but I don't have access to that at the moment.

 

 

 

It would really be nice to get the VM-trial updated! I've had many F5 FSE's say thing is going to happen, but nothing yet... a year later at least.

 

 

 

The backend server is a Bradfordnetworks NAC solution, purely just to provide a nice interface for management, presenting a real ssl cert to the user, while keeping a self-signed on the Bradford server.

 

 

 

My issue is Safari works (albeit slowly to connect --timeouts?), Firefox accepts the cert and then just waits and waits, while Chrome just says no after a short timeout. All my testing is on my macbook, where the VM is hosted under VM Fusion v4.1.3.

 

 

 

Any ideas will help!

 

 

 

Thanks,

 

 

 

Glen.

 

 

 

bigip.conf:

 

---

 

datastor {

 

low water mark 80

 

high water mark 92

 

}

 

deduplication {}

 

shell write partition Common

 

route default inet {

 

gateway 172.18.8.2

 

}

 

profile clientssl testf5-cli {

 

defaults from clientssl

 

key "test-selfsigned.key"

 

cert "test-selfsigned.crt"

 

}

 

 

 

profile serverssl testf5 {

 

defaults from serverssl

 

handshake timeout 60

 

alert timeout 60

 

cache timeout 3600

 

}

 

profile serverssl testf5-svr {

 

defaults from serverssl

 

key "default.key"

 

cert "default.crt"

 

peer cert mode ignore

 

}

 

node 8.8.8.8 {}

 

node 10.85.201.83 {}

 

pool testf5 {

 

monitor all https

 

members 10.85.201.83:pcsync-https {}

 

}

 

rule broken-trial-ssl {

 

when CLIENT_ACCEPTED {

 

virtual testf5

 

}

 

}

 

rule rewrite {

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::uri]] starts_with "/abc" } {

 

HTTP::uri [string map -nocase {"/abc" "/123/bac"} [HTTP::uri]]

 

}

 

}

 

}

 

 

 

virtual testf5 {

 

snat automap

 

pool testf5

 

destination 172.18.8.101:https

 

ip protocol tcp

 

profiles {

 

tcp {}

 

testf5-svr {

 

serverside

 

}

 

}

 

vlans none enable

 

}

 

virtual testf5_cli {

 

snat automap

 

destination 172.18.8.101:https

 

ip protocol tcp

 

rules broken-trial-ssl

 

profiles {

 

http {}

 

tcp {}

 

testf5-cli {

 

clientside

 

}

 

}

 

}

 

 

  • Hi Glen,

     

     

    I don't think there are any plans on releasing a new trial version. Instead, you can ask your F5 SE for an eval key for BIG-IP VE Lab Edition which includes rate limited versions of all VE modules. You can also run any current BIG-IP version instead of just 10.1 with the trial. There aren't the same issues with SSL cipher limitations either.

     

     

    If you run into a similar issue with the eval key on a new VE installation reply back here with details.

     

     

    Aaron