Forum Discussion

jpeterson6's avatar
Icon for Nimbostratus rankNimbostratus
Sep 25, 2017

What happens when an VIP has a ServerSSL Profile without a ClientSSL Profile?

When a VIP receives encrypted traffic and only has a ServerSSL Profile attached, what does it do? Does it just ignore the profile and send the still-encrypted data along as if it is configured for SSL-Passthrough, or does it try to 'encrypt' the encrypted data even further?


I know this isn't typical configuration and shouldn't be done. This was just due to a configuration error that I found it and I am curious on how the F5 handles it.


2 Replies

  • Without having tested it myself my guess is it will encrypt it again, leading to a very confused backend server.


  • Well, let's consider how an LTM operates with various profiles:

    On the clientside, you will have a TCP profile, which will cause TCP Delayed Binding.

    [SYN]      C -> LTM
    [SYN,ACK]  C <- LTM
    [ACK]      C -> LTM
    • TCP 3-Way-Handshake is now complete.
    • Client sends the next segment, which will be load-balanced and sent to a pool member:

      [Client_Hello] C -> LTM

    The LTM will then make a load-balancing decision and establish a connection with a pool member. And, because a Server-SSL Profile is applied, the LTM will perform SSL Delayed Binding:

    [SYN]          LTM -> S
    [SYN,ACK]      LTM <- S
    [ACK]          LTM -> S
    [Client_Hello] LTM -> S
    [Server_Hello] LTM <- S
    [Key_Exchanges...etc, SSL negotiation completes]
    • The next thing that will happen is the LTM will forward the [Client_Hello] from the clientside to the pool member.

    • However, because the SSL Negotiation has already occurred, [Client_Hello] will be received by L7 Application Server. In my lab, the response is a '400 Bad Request' from the server.

    So to answer your question, no it will not simply send 'Encrypted' data to the back-end server. It will begin by sending the Clients' [Client_Hello] to the pool member, which will be received on Layer 7. In my lab, the server will simply respond with a '400 Bad Request', and the connection will complete.

    What will actually occur is that the clientside will never successfully negotiate an SSL Connection.