For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kimhenriksen's avatar
kimhenriksen
Icon for Cirrocumulus rankCirrocumulus
Feb 06, 2025

troubleshooting serverssl profile with client cert..

Hi all!   We have a virtualserver with a serverssl profile configured with a client cert. According to the technician working with the backend nginx node they´re not getting the client cert. Does a...
application delivery
certficate
LTM
serverssl
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Feb 08, 2025

 

Tcpdump can be very helpful in capturing and analyzing the traffic between the client, F5, and backend Nginx node. You can use the following command to capture the traffic:

tcpdump -i <interface> -s0 -w /var/tmp/capture.pcap host <client_ip> and host <nginx_ip> and port <nginx_port>

Once you have the capture file, you can transfer it to your local machine and analyze it using Wireshark or another packet analysis tool.

Look for the SSL handshake packets and examine the Certificate message to see if the client certificate is being sent.

Nginx Configuration:

Ensure that your Nginx server is configured to request and accept client certificates. This typically involves setting the ssl_verify_client directive to on or optional and specifying the trusted CA certificates with ssl_client_certificate.

Check the Nginx logs to see if there are any messages related to client certificate validation. The logs can provide clues about whether the certificate is being received and if there are any issues with it.

Finally

You can also use tmsh commands on the F5 to get more insights into the SSL profile and connections. For example:

tmsh show ltm profile client-ssl <profile_name>