cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Configuration Using IIS 6

Adr_Ant
Nimbostratus
Nimbostratus

Hello,

 

I need help to protect my website using F5 BIG IP-i2600. My current situation like this:

  1. I have 2 domain using 2 different server.
  2. I purchase multidomain SSL Certificate for this 2 domain
  3. SSL Certificate (certificate, key and ca bundle) installed on web server (IIS 6) and also uploaded to F5
  4. Create SSL client and server profile. Attach it to virtual server (listening on HTTPS port) with pool member also use port 443
  5. Create https NAT to forward my ip public to virtual server IP

 

When I try to access my site using https, it gave me PR_CONNECT_RESET_ERROR, I use Firefox browser. Another domain don't have this issue (apache), i can access it using https. And i also can access the site using https if the connection not using F5/direct to web server

 

Checked all the settings and it is identical to other domain that don't have issue. Any suggestion? maybe there are settings related to IIS 6 web server?

4 REPLIES 4

Simon_Blakely
F5 Employee
F5 Employee

You need to take a tcpdump on the BigIP to see where the reset is being generated from, and why.

 

tcpdump -n -v -s0 -i0.0:nnnp host <vip IP> and port 443

Also, try running a curl command to the VIP

 

curl -kv https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP>

 

Adr_Ant
Nimbostratus
Nimbostratus

This is the result from tcpdump and curl command

 

tcpdump -n -v -s0 -i0.0:nnnp host 192.168.2.19 and port 443

tcpdump: listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes

10:39:38.645396 IP (tos 0x0, ttl 63, id 28006, offset 0, flags [DF], proto TCP (6), length 52)

   112.78.146.106.57576 > 192.168.2.19.https: Flags [S], cksum 0xf033 (correct) , seq 3791145506, win 43690, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal= 00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645429 IP (tos 0x0, ttl 255, id 35770, offset 0, flags [DF], proto TCP (6), length 48)

   192.168.2.19.https > 112.78.146.106.57576: Flags [S.], cksum 0xc596 (incorrect -> 0x705f), seq 3635828138, ack 3791145507, win 4380, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645568 IP (tos 0x0, ttl 63, id 28007, offset 0, flags [DF], proto TCP (6), length 40)

   112.78.146.106.57576 > 192.168.2.19.https: Flags [.], cksum 0x0294 (correct), ack 1, win 43690, length 0 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645677 IP (tos 0x0, ttl 63, id 28008, offset 0, flags [DF], proto TCP (6), length 557)

   112.78.146.106.57576 > 192.168.2.19.https: Flags [P.], cksum 0x612b (correct), seq 1:518, ack 1, win 43690, length 517 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645712 IP (tos 0x0, ttl 255, id 35774, offset 0, flags [DF], proto TCP(6), length 40)

   192.168.2.19.https > 112.78.146.106.57576: Flags [.], cksum 0xc58e (incorrect -> 0x9818), ack 518, win 4897, length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.646475 IP (tos 0x0, ttl 255, id 35776, offset 0, flags [DF], proto TCP(6), length 142)

   192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5f4 (incorrect -> 0x51d6), seq 1:103, ack 518, win 4897, length 102 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.646502 IP (tos 0x0, ttl 255, id 35778, offset 0, flags [DF], proto TCP (6), length 85)

   192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5bb (incorrect -> 0xa48f), seq 103:148, ack 518, win 4897, length 45 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

 

----------------------------------------------

 

curl -kv https://pasutra.net/ --resolve pasutra.net:443:192.168.2.19

* Added pasutra.net:443:192.168.2.19 to DNS cache

* Hostname pasutra.net was found in DNS cache

*  Trying 192.168.2.19...

* Connected to pasutra.net (192.168.2.19) port 443 (#0)

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*  CAfile: /etc/pki/tls/certs/ca-bundle.crt

 CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* Server certificate:

*       subject: CN=santosjayaabadi.co.id

*       start date: Feb 4 00:00:00 2020 GMT

*       expire date: Feb 3 23:59:59 2021 GMT

*       issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA

*       SSL certificate verify ok.

> GET / HTTP/1.1

> Host: pasutra.net

> User-Agent: curl/7.47.1

> Accept: */*

>

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

 

I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.

So the client-side SSL profile is working.

You probably have an issue with the server-side SSL profile establishing a connection to the pool member.

 

Try using the serverssl-insecure-compatible server-ssl profile on the virtual (for the server-ssl profile)

Adr_Ant
Nimbostratus
Nimbostratus

ahh you're right..i can access the web using https now. i think it is because IIS 6 still support or use low strength ciphers. thank you so much for your insight...really appreciate it