Need help passing the cert to the pool member when using client/server ssl profiles
Our application developers are launching Mirth and I've setup a Standard VIP listening on 443, http profile, with client/server ssl profile and an iRule (uri based). The server cert portion is working just fine, but was informed yesterday that they needed the client cert to be passed along to the pool members. After doing some reading, I set both profiles to Proxy SSL. Once I set that, they immediately saw SSL handshake failures. From a SSLDUMP I am seeing the following:
# ssldump -r /var/tmp/proxycap.pcap
New TCP connection #1: 10.144.22.176(53294) <-> 10.144.20.176(443)
1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL2_CK_3DES
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL2_CK_DES
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SSL2_CK_RC4
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Unknown value 0xa7
Unknown value 0xa6
TLS_DH_anon_WITH_AES_256_CBC_SHA256
Unknown value 0xc019
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
Unknown value 0xc018
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
Unknown value 0xc006
SSL2_CK_RC2_EXPORT40
Unknown value 0xc010
TLS_RSA_WITH_NULL_SHA
Unknown value 0xc001
Unknown value 0xc00b
Unknown value 0xc015
TLS_RSA_WITH_NULL_MD5
Unknown value 0x1e
Unknown value 0x22
1 2 0.0063 (0.0055) S>C Alert
level fatal
value handshake_failure
1 0.0064 (0.0000) S>C TCP RST
The F5 is a 1600 running 12.1.2 code. let me know if I am overlooking something or there is a better way to perform this for the app team. Thanks.