Terminating SSL on F5 and re-encrypt to end server

Hello Ivan,

My instinct is that there's an issue with your server-side SSL certificate, either in configuration or connectivity. Based on your SSL dump from your F5 to your server, the client hello seems to be in order, sending accepted TLS ciphers, compression, algorithms, etc. But at the very bottom of the dump you shared there is:

1    0.0012 (0.0006)  S>C  TCP RST

That looks like a reset. i.e. your F5 did not get a response from your backend server, and is restarting the ssl exchange. I'm guessing layer 4 connectivity isn't the problem, since when you offload encryption on the F5 it worked as intended.

The openssl from client through the F5 and straight to your backend servers seems to support this idea as well. The SSL handshake is failing in a nigh identical way in this set-up; there seems to be no response from the server, which should decide on which ciphers/compression will be supported. I based this off of:

no peer certificate available
---
No client certificate CA names sent
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

Based on the information from the ssl dump between the F5 and the back-end server, it makes sense that the certificate exchange fails, since it looks like there isn't even a Server Hello in response to the CLient Hello.

To troubleshoot, I would potentially double-check how your proxy is functioning between the F5 and the backend-servers; it could be blocking the server hello in some way. Else, maybe there's an issue with your server ssl cert.

Hope that gives you some ideas,

Austin