Forum Discussion
CirrusSSL protocol mismatch
CirrusActually, I just did that and replied to Amine above. With the SSL Profile (Client) and SSL Profile (Server) setup, doing a TCPdump capturing only the VS IP, I see 9 packets, none of which are a SSL/TLS negotation. So it's like they aren't even trying the TLS communication or the communication is dying when they try to start the negotation.
As you can see above, no TLS communication is attempted and this is all communication between the client and VS. The VS doesn't seem to initiate any contact with the pool member.
If I just have the SSL passthrough (IE "Performance (Layer4)") the connection succeeds and I cearly see the TLS negotation taking place.
MVPirbk It seems as though you have both SSL and non-SSL communication occurring over the same IP and port which definitely will cause issues when perform SSL termination on the F5. The reason this will cause issues is because the F5 expects SSL communication but receives traffic that isn't SSL.
- irbk
Yes, this is 100% correct. Traffic starts out as just regular TCP traffic and then changes to TLS anc continues as both TLS and TCP traffic. Here is wireshark output from a good connection (SSL passthrough).
You can see that the communication that's going on is both TCP and TLS traffic on the same port. So are you saying the F5 is incapable of SSL bridging in this situation?
- Paulius
irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.
- irbk
Paulius I don't believe there's anyway I can tell the F5 "this is TLS traffic" vs "this is TCP traffic". I'm positive there's no way for me to tell the server to splt the traffic to two different ports. So it kind of sounds like my only option is the SSL passthrough. Bummer. Thanks for the assist!
