Forum Discussion

Harold_Deadman_'s avatar
Icon for Nimbostratus rankNimbostratus
Sep 28, 2011

what is appropriate way to use SSL::disable serverside/ SSL::enable serverside

We have a requirement to encrypt server-side traffic between the F5 and our SSO web application (CAS) because passwords are transmitted. Our F5 VIP has several different applications behind it on several different pools and we have an i-rule that is routing traffic to the appropriate pools. Most pools are accessed via HTTP rather than HTTPS. I added a server side profile to the VIP and then I disabled it in the CLIENT_ACCEPTED event. If the traffic is bound for the pool where our SSO application lives then I enable server side SSL before sending traffic to the pool (SSL::enable serverside). The login process proceeds quickly but then there are severe delays on subsequent requests to non SSL pools. What appears to be happening is that SSL remains enabled and that the F5 is falling back to HTTP if it can't negotiate an SSL connection (but only after a significant delay or timeout).



Is that what is happening? I would have expected the F5 to fail rather than falling back to not encrypting the traffic.



Is enabling/disabling server-side SSL an expensive operation? Is there a method to tell the current state or do I need to keep track in a variable? When I try to disable it or enable it prior to each pool request (based on whether the pool is to an SSL port or not) it seems that I still see delays and worse performance than if I don't have server-side SSL on the VIP at all. If the operation is expensive then maybe I need to keep track of the state so I am only turning it off or on if it is in the wrong state for the pool that traffic will be sent to.



Where (which event) is the appropriate place to turn SSL off and on? I notice that if I turn SSL on before the pool statement and disable it after the pool statement then the SSL response from the server is not decrypted by the F5 and the encrypted response from the server is re-encrypted and sent to the browser. Is there an event after the HTTP response is sent where I could disable server-side SSL?




Thanks for any insights or pointers to any resources on this topic.





11 Replies