Terminating SSL on F5 and re-encrypt to end server

Question

Hello,&nbsp;I need to use my F5 in next scenario:&nbsp;Internet -&gt; F5 -&gt; WebApplicationProxy -&gt; End node/server&nbsp;On F5 i need to do ssl offload because i need to forward traffic based on information from header.&nbsp;I configured both: SSL Profile Client and SSL Profile Server.&nbsp;SSLDUMP F5 -&gt; Server&nbsp;New TCP connection 1: 10.99.11.36(11086) &lt;-&gt; 10.99.11.39(443)
1 1  0.0006 (0.0006)  C&gt;SV3.1(139)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          59 c2 05 9e 08 c6 ec ef d2 5b 61 82 23 8a 7e 21
          cc e3 0b a1 e4 fe c2 f6 bd b9 5d a4 f0 81 0d ff
        cipher suites
          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          TLS_RSA_WITH_AES_128_GCM_SHA256
          TLS_RSA_WITH_AES_128_CBC_SHA
          TLS_RSA_WITH_AES_128_CBC_SHA256
          TLS_RSA_WITH_AES_256_GCM_SHA384
          TLS_RSA_WITH_AES_256_CBC_SHA
          TLS_RSA_WITH_AES_256_CBC_SHA256
          TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
          TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
          TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        compression methods
                  NULL
        extensions
          supported_groups
          ec_point_formats
          signature_algorithms
            signature_algorithms[26]=
              04 01 05 01 06 01 04 02 05 02 06 02 04 03 05 03
              06 03 02 01 02 02 02 03 01 01
          extended_master_secret
1    0.0012 (0.0006)  S&gt;C  TCP RSTI also have one very strange situation, i did openssl from client and i get this: This is done when i configured F5 just to forward traffic no ssl offloding&nbsp;CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1549020813
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: noDoes anyone have idea what to do?&nbsp;Thanks.&nbsp;

petewhite · Answer

Have you added a cert and key to the clientSSL profile?&nbsp;

sniffer_375425 · Answer

Hy Pete, yes of course, i did ssl handshake on External interface when i am doing ssl offloading and that is working fine. &nbsp;
I also have VS where i am ssl offloading and based on header i am doing redirect. But the problem is when i need to re-encrypt end send to server behind f5. &nbsp;

wlopez · Answer

Can you explain the error in more detail?&nbsp;
Are you getting a specific error message?&nbsp;
If you're doing ssl bridging, both client and server ssl profiles on the virtual server, there will be two separate handshakes for all traffic. Each one is independent from the other and will be handled by whatever settings you have on each ssl profile. The client ssl profile needs to complete the handshake successfully with the user. Once that happens then the handshake against the selected pool member(s) begins.&nbsp;
If you believe your situation is ssl related you may probably need to capture both handshakes.&nbsp;

petewhite · Answer

So when you re-encrypt you need to add a serverSSL profile to re-encrypt the data. Make sure that the pool member is listening on port 443. When doing SSL offloading, the clientside port is 443 ie SSL and the serverside port is 80 so you may need to change that when changing to SSL bridging.&nbsp;

sniffer_375425 · Answer

Pete, i didn't catch you with this serverside is port 80 and SSL bridging. &nbsp;
Let me explain my situation. &nbsp;
I need next case in traffic flow: &nbsp;
Client -&gt; F5 (here i am doing ssl offload with configured SSL Profile Client) -&gt; pull header and based on that forward to some pool also 443 -&gt; then WebApplicationProxy (here after user is auth ) -&gt; End server&nbsp;
Client on Internet request https://abc.abc.comIt's reaching my F5 where i configured VS with SLL Profile Client (i added certificate and private key) and with port 443.
2.1 here i checked SSL handshake between client and F5(server in this case) and everything is working fine.&nbsp;
3  After i match my request with iRule i forward to Pool in witch i have WebApplicationProxy port 443. &nbsp;
3.1 Mention VS is also configured with SSL Profile server&nbsp;
3.2 Now when i check SSL handshake between F5 (client this time) and server (WAP) i have output from my original post. Server immediately send TCP restart (i checked cipher from side client-F5 and same is sent from F5 to WAP)&nbsp;
3.3 When i check this WAP server and do netstat i don't see any connection coming and yes this WAP listening on port 443&nbsp;
Also i use http profile in VS&nbsp;
So i know that i am doing something wrong on side when i need to re-encrypt but don't know what. &nbsp;
Second scenario&nbsp;
When i don't use ssl offloading and create VS that listen on 443 and just forwarding on same pool that i use in above explained scenario (without SSL Profile Server/Client) everything is working fine. &nbsp;
Thanks a lot guys for help. &nbsp;

Forum Discussion

Terminating SSL on F5 and re-encrypt to end server

6 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Limit connection per VS and redirect user

APM and Datasafe

Why I could not post a comment

F5 ASM/AWAF – violations logged but no learning suggestions generated

Catch Dynamic CRL Errors and Return Friendly Page

Related Content

SSL Full Proxy - SSL Re-Encryption performance degradation

FTPS_SSL_ Termination

F5 MCP(Model Context Protocol) Server

SSL Re-Encryption - No SSL traffic on server side

AI Friday Episode 3: Snowstorms, Truth Terminal, MCP & AGI Insights

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS