cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Enabling Server-side SSL in Production Environment

joshr
Nimbostratus
Nimbostratus

Looking for some guidance, best practices or a case study around a scenario I'm working with.

 

I'm currently doing Client-Side TLS only. My primary use-case is an HTTPS Virtual Server (Client SSL only) with a policy for path based forwarding (currently have a couple hundred path based rules in my policy).

 

I've now been tasked with enabling Server-Side TLS in my production environment. I do not have a requirement to support mTLS or x.509 (i.e. backend server does not need to know about the original client certificate).

 

I'm wondering if anyone has made this migration before or has any tips for running in a "mixed mode" environment. I would like to provide my developers with the luxury of enabling TLS on their service on their own schedule. I've checked the Server Side SSL Profile docs and noticed the "Bypass on Handshake Alert" option .. I'm wondering if there's any further documentation for that feature.. seems like this is related only to the SSL Forward Proxy functionality, not sure it would help in my scenario?

 

Ideally, I'd like to run my F5 Server SSL Profile in an "opportunistic" mode.. i.e. attempt to connect to the server using SSL, if the handshake fails, fall-back to an unencrypted connection to the server.

 

Has anyone made this migration before? Any war stories you can share? Unfortunately, the documentation for Server SSL Profile's is great but I've found very little information about the migration path from "not-using a Server SSL profile at all" to "effectively using a Server SSL profile without causing negative impact on the journey".

 

Thanks!

1 REPLY 1

Simon_Blakely
F5 Employee
F5 Employee

Well, you have to have a new pool that points to the TLS/SSL port on the node, rather than the unencrypted port.

 

So you need to build the new pools, then assign both the server-ssl profile and the new pool to the virtual.

 

That's it - it's pretty simple.