Showing results for 
Search instead for 
Did you mean: 

Need help passing the cert to the pool member when using client/server ssl profiles


Our application developers are launching Mirth and I've setup a Standard VIP listening on 443, http profile, with client/server ssl profile and an iRule (uri based). The server cert portion is working just fine, but was informed yesterday that they needed the client cert to be passed along to the pool members. After doing some reading, I set both profiles to Proxy SSL. Once I set that, they immediately saw SSL handshake failures. From a SSLDUMP I am seeing the following:


 # ssldump -r /var/tmp/proxycap.pcap

New TCP connection #1: <->

1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello

 Version 3.3

 cipher suites















































 Unknown value 0xa7 

 Unknown value 0xa6 


 Unknown value 0xc019 



 Unknown value 0xc018 








 Unknown value 0xc006 


 Unknown value 0xc010 


 Unknown value 0xc001 

 Unknown value 0xc00b 

 Unknown value 0xc015 


 Unknown value 0x1e 

 Unknown value 0x22 

1 2 0.0063 (0.0055) S>C Alert

   level          fatal

   value          handshake_failure

1   0.0064 (0.0000) S>C TCP RST


The F5 is a 1600 running 12.1.2 code. let me know if I am overlooking something or there is a better way to perform this for the app team. Thanks.


F5 Employee
F5 Employee



As it appears that the pool member requires information from the client-side client auth certificate, you really need to use:

K72668381:  Overview of the SSL Client Certificate Constrained Delegation feature


which requires upgrading to 13.1.x


K14065425:  Configuring Client Certificate Constrained Delegation (C3D)




Silly question, what is the latest version of software the 1600 series will support? Thanks again for your quick response!

K9476:  The F5 hardware/software compatibility matrix


1600 - BigIP 12.1.2


Get a Virtual Edition License ...


Alright, back again. We had a 4200 unit lying around which was recently reclaimed from another location. I've wiped it clean and upgraded the software to BIG-IP 15.1.0 Build 0.0.31 Final. I've duplicated the VIP setup from lat time and appending in the C3D pieces to the client/server ssl profiles. I seem to be stuck at the client cert handshake:


New TCP connection #3: <->

3 1 0.0515 (0.0515) C>S Handshake


       Version 3.1

       cipher suites








       compression methods









         Unknown extension (0x18)


3 2 0.0526 (0.0010) S>C Handshake


       Version 3.1


         cf e2 d9 64 73 36 1d d9 56 ca c2 8c 7b 9e 65 82

         b8 b5 15 06 e3 01 d1 9a 1a 6c 08 82 8b 6e f5 d0

       cipherSuite        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

       compressionMethod                  NULL





3 3 0.0526 (0.0000) S>C Handshake


3 4 0.0526 (0.0000) S>C Handshake


3 5 0.0526 (0.0000) S>C Handshake


       certificate_types                  rsa_sign

       certificate_types                  dss_sign

       certificate_types                  ecdsa_sign

3 6 0.0526 (0.0000) S>C Handshake


3 7 0.1059 (0.0533) C>S Handshake




3 8 0.1059 (0.0000) C>S ChangeCipherSpec

3 9 0.1059 (0.0000) C>S Handshake

3 10 0.1063 (0.0003) S>C Alert

   level          fatal

   value          handshake_failure

3   0.1063 (0.0000) S>C TCP FIN

3   0.1342 (0.0279) C>S TCP FIN

New TCP connection #4: <->

4   0.0203 (0.0203) C>S TCP FIN

4   0.0203 (0.0000) S>C TCP FIN

(cfg-sync Standalone)(Active)(/Common)(tmos)#


You probably need to capture both the client and server-side handshakes at the same time.

You may be getting a server-side authentication failure when the forged certificate is passed to the pool member.