Forum Discussion
What happens when an VIP has a ServerSSL Profile without a ClientSSL Profile?
When a VIP receives encrypted traffic and only has a ServerSSL Profile attached, what does it do? Does it just ignore the profile and send the still-encrypted data along as if it is configured for SSL-Passthrough, or does it try to 'encrypt' the encrypted data even further?
I know this isn't typical configuration and shouldn't be done. This was just due to a configuration error that I found it and I am curious on how the F5 handles it.
- Henrik_Gyllkran
Nimbostratus
Without having tested it myself my guess is it will encrypt it again, leading to a very confused backend server.
- Jason_Adams
Employee
Well, let's consider how an LTM operates with various profiles:
On the clientside, you will have a TCP profile, which will cause TCP Delayed Binding.
[SYN] C -> LTM [SYN,ACK] C <- LTM [ACK] C -> LTM
- TCP 3-Way-Handshake is now complete.
-
Client sends the next segment, which will be load-balanced and sent to a pool member:
[Client_Hello] C -> LTM
The LTM will then make a load-balancing decision and establish a connection with a pool member. And, because a Server-SSL Profile is applied, the LTM will perform SSL Delayed Binding:
[SYN] LTM -> S [SYN,ACK] LTM <- S [ACK] LTM -> S [Client_Hello] LTM -> S [Server_Hello] LTM <- S [Key_Exchanges...etc, SSL negotiation completes]
-
The next thing that will happen is the LTM will forward the [Client_Hello] from the clientside to the pool member.
-
However, because the SSL Negotiation has already occurred, [Client_Hello] will be received by L7 Application Server. In my lab, the response is a '400 Bad Request' from the server.
So to answer your question, no it will not simply send 'Encrypted' data to the back-end server. It will begin by sending the Clients' [Client_Hello] to the pool member, which will be received on Layer 7. In my lab, the server will simply respond with a '400 Bad Request', and the connection will complete.
What will actually occur is that the clientside will never successfully negotiate an SSL Connection.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com