Forum Discussion
What happens when an VIP has a ServerSSL Profile without a ClientSSL Profile?
Well, let's consider how an LTM operates with various profiles:
On the clientside, you will have a TCP profile, which will cause TCP Delayed Binding.
[SYN] C -> LTM
[SYN,ACK] C <- LTM
[ACK] C -> LTM
- TCP 3-Way-Handshake is now complete.
-
Client sends the next segment, which will be load-balanced and sent to a pool member:
[Client_Hello] C -> LTM
The LTM will then make a load-balancing decision and establish a connection with a pool member. And, because a Server-SSL Profile is applied, the LTM will perform SSL Delayed Binding:
[SYN] LTM -> S
[SYN,ACK] LTM <- S
[ACK] LTM -> S
[Client_Hello] LTM -> S
[Server_Hello] LTM <- S
[Key_Exchanges...etc, SSL negotiation completes]
-
The next thing that will happen is the LTM will forward the [Client_Hello] from the clientside to the pool member.
-
However, because the SSL Negotiation has already occurred, [Client_Hello] will be received by L7 Application Server. In my lab, the response is a '400 Bad Request' from the server.
So to answer your question, no it will not simply send 'Encrypted' data to the back-end server. It will begin by sending the Clients' [Client_Hello] to the pool member, which will be received on Layer 7. In my lab, the server will simply respond with a '400 Bad Request', and the connection will complete.
What will actually occur is that the clientside will never successfully negotiate an SSL Connection.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com