SSL Configuration Using IIS 6

Question

Hello,&nbsp;I need help to protect my website using F5 BIG IP-i2600. My current situation like this:I have 2 domain using 2 different server.I purchase multidomain SSL Certificate for this 2 domainSSL Certificate (certificate, key and ca bundle) installed on web server (IIS 6) and also uploaded to F5Create SSL client and server profile. Attach it to virtual server (listening on HTTPS port) with pool member also use port 443Create https NAT to forward my ip public to virtual server IP&nbsp;When I try to access my site using https, it gave me PR_CONNECT_RESET_ERROR, I use Firefox browser. Another domain don't have this issue (apache), i can access it using https. And i also can access the site using https if the connection not using F5/direct to web server&nbsp;Checked all the settings and it is identical to other domain that don't have issue. Any suggestion? maybe there are settings related to IIS 6 web server?

simon_blakely · Answer

You need to take a tcpdump on the BigIP to see where the reset is being generated from, and why.

tcpdump -n -v -s0 -i0.0:nnnp host <vip IP> and port 443

Also, try running a curl command to the VIP

curl -kv https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP>

adr_ant · Answer

This is the result from tcpdump and curl command

tcpdump -n -v -s0 -i0.0:nnnp host 192.168.2.19 and port 443

tcpdump: listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes

10:39:38.645396 IP (tos 0x0, ttl 63, id 28006, offset 0, flags [DF], proto TCP (6), length 52)

112.78.146.106.57576 > 192.168.2.19.https: Flags [S], cksum 0xf033 (correct) , seq 3791145506, win 43690, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal= 00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645429 IP (tos 0x0, ttl 255, id 35770, offset 0, flags [DF], proto TCP (6), length 48)

192.168.2.19.https > 112.78.146.106.57576: Flags [S.], cksum 0xc596 (incorrect -> 0x705f), seq 3635828138, ack 3791145507, win 4380, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645568 IP (tos 0x0, ttl 63, id 28007, offset 0, flags [DF], proto TCP (6), length 40)

112.78.146.106.57576 > 192.168.2.19.https: Flags [.], cksum 0x0294 (correct), ack 1, win 43690, length 0 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645677 IP (tos 0x0, ttl 63, id 28008, offset 0, flags [DF], proto TCP (6), length 557)

112.78.146.106.57576 > 192.168.2.19.https: Flags [P.], cksum 0x612b (correct), seq 1:518, ack 1, win 43690, length 517 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.645712 IP (tos 0x0, ttl 255, id 35774, offset 0, flags [DF], proto TCP(6), length 40)

192.168.2.19.https > 112.78.146.106.57576: Flags [.], cksum 0xc58e (incorrect -> 0x9818), ack 518, win 4897, length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.646475 IP (tos 0x0, ttl 255, id 35776, offset 0, flags [DF], proto TCP(6), length 142)

192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5f4 (incorrect -> 0x51d6), seq 1:103, ack 518, win 4897, length 102 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

10:39:38.646502 IP (tos 0x0, ttl 255, id 35778, offset 0, flags [DF], proto TCP (6), length 85)

192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5bb (incorrect -> 0xa48f), seq 103:148, ack 518, win 4897, length 45 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

----------------------------------------------

curl -kv https://pasutra.net/ --resolve pasutra.net:443:192.168.2.19

* Added pasutra.net:443:192.168.2.19 to DNS cache

* Hostname pasutra.net was found in DNS cache

* Trying 192.168.2.19...

* Connected to pasutra.net (192.168.2.19) port 443 (#0)

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* Server certificate:

* subject: CN=santosjayaabadi.co.id

* start date: Feb 4 00:00:00 2020 GMT

* expire date: Feb 3 23:59:59 2021 GMT

* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA

* SSL certificate verify ok.

> GET / HTTP/1.1

> Host: pasutra.net

> User-Agent: curl/7.47.1

> Accept: */*

>

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.

simon_blakely · Answer

So the client-side SSL profile is working.

You probably have an issue with the server-side SSL profile establishing a connection to the pool member.

Try using the serverssl-insecure-compatible server-ssl profile on the virtual (for the server-ssl profile)

adr_ant · Answer

ahh you're right..i can access the web using https now. i think it is because IIS 6 still support or use low strength ciphers. thank you so much for your insight...really appreciate it

Forum Discussion

SSL Configuration Using IIS 6

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: DNS Sinkholing

SSL Orchestrator Advanced Use Cases: Integrating SOCKS Proxy

SSL Orchestrator Advanced Use Cases: Custom Blocking Pages

SSL Orchestrator Advanced Use Cases: Inbound Authentication